[Snort-users] A question about taps

Ted Kaczmarek tedkaz at ...549...
Fri Sep 16 07:16:27 EDT 2005


On Fri, 2005-09-16 at 14:45 +0100, Brett, Gary wrote:
> Hi there
> 
> Just a quick question, I have in my possession a simple little plastic tap
> (basically a little adapter type thing that has 3 RJ48 ports on it, it is
> not a powered device just a little internally wired adapter). After testing
> it, it does exactly what a tap should do and outputs all traffic it receives
> on any of the 3 ports to all the other ports.
> 
> My question is this, from reading snort mailing list archives and FAQ's,
> people are suggesting that one should invest in a more complex, powered unit
> e.g. Shomiti, Finisar and Netoptics etc costing many hundreds of dollars in
> some cases. I would just like to know why my little plastic $5 gizmo is not
> on that list of recommended items ? Is there something my gizmo does or does
> not do that makes it a bad choice for a SNORT NIDS (even in my small test
> environment). I would really like to know
> 
> 
> Any help on this would be greatly appreciated
> Gary 
> 
> 
The cheaper stuff will be dropping Ethernet frames. As far as using it
for test, you can use tcpdump on the nodes to correlate what is sent
versus received if you suspect frames are being dropped. The taps you
mentioned are are all "Commercial Grade", not critical for a testing
setup, but definitely for a production setup. You will also see huge
performance differences depending on the nic card the snort box is
using, but this is mostly an issue with gigabit today, most of the
server class 100 mbit cards should not have any issues with good
drivers.

Regards,
Ted





More information about the Snort-users mailing list