[Snort-users] Can anyone recommend an ethernet tap?

Matt Kettler mkettler at ...4108...
Wed Oct 6 08:33:50 EDT 2004


At 06:24 AM 10/6/2004, Martin Olsson wrote:
>I want to buy an ethernet tap where snort will listen.
>
>A----Tap----B
>       |
>    Sniffer
>
>Criteria:
>* 100Mbps
>* full duplex (not a hub then)
>* the throughput between A and B should be almost the same as using a
>   X-patch cable
>* the sniffer port should see both directions of the traffic (if A and B
>   generate more than 100Mbps together, start dropping packets), I do not
>   want two sniffer ports where one see A->B and the other B->A, I just
>   want one port that mirror B<->B
>
>Maybe the sniffer-port could be 1Gbps, then packets wouldn't have to be
>dropped, but I guess that the price of a gigabit tap is far more than a
>100Mbps one...

With those criteria.. get a managed switch put it in-line and create a span 
port. It's the only practical way to combine up a full-duplex link as a 
tap. You'll add some latency, but overall throughput should be unharmed.

Either that or get a passive tap *AND* a managed switch. This will reduce 
latency, and the link will stay up even if the switch dies. However, 
overall throughput should be the same either way.

Some lower-cost switches with enough management to have port mirroring 
capabilities (I've not tested any of these, but they are a list I had handy) :

Cisco WS-C2950-12 12 ports                      $650
Dlink DES-3226L 24+ 2gig ports          $300
dlink DES-1226G 24 +2 gig ports         $230


All are available at CDW, and those prices are round-numbers from prices I 
got off CDW's website last week.





More information about the Snort-users mailing list