[Snort-users] Can anyone recommend an ethernet tap?
mkettler at ...4108...
Wed Oct 6 08:33:50 EDT 2004
At 06:24 AM 10/6/2004, Martin Olsson wrote:
>I want to buy an ethernet tap where snort will listen.
>* full duplex (not a hub then)
>* the throughput between A and B should be almost the same as using a
> X-patch cable
>* the sniffer port should see both directions of the traffic (if A and B
> generate more than 100Mbps together, start dropping packets), I do not
> want two sniffer ports where one see A->B and the other B->A, I just
> want one port that mirror B<->B
>Maybe the sniffer-port could be 1Gbps, then packets wouldn't have to be
>dropped, but I guess that the price of a gigabit tap is far more than a
With those criteria.. get a managed switch put it in-line and create a span
port. It's the only practical way to combine up a full-duplex link as a
tap. You'll add some latency, but overall throughput should be unharmed.
Either that or get a passive tap *AND* a managed switch. This will reduce
latency, and the link will stay up even if the switch dies. However,
overall throughput should be the same either way.
Some lower-cost switches with enough management to have port mirroring
capabilities (I've not tested any of these, but they are a list I had handy) :
Cisco WS-C2950-12 12 ports $650
Dlink DES-3226L 24+ 2gig ports $300
dlink DES-1226G 24 +2 gig ports $230
All are available at CDW, and those prices are round-numbers from prices I
got off CDW's website last week.
More information about the Snort-users