[Snort-users] A question about taps

Richard Bejtlich taosecurity at ...11827...
Fri Sep 16 07:37:01 EDT 2005


Gary Brett wrote:

> Just a quick question, I have in my possession a simple little plastic tap
> (basically a little adapter type thing that has 3 RJ48 ports on it, it is
> not a powered device just a little internally wired adapter). After testing
> it, it does exactly what a tap should do and outputs all traffic it receives
> on any of the 3 ports to all the other ports.

Hi Gary,

I bet I have a device similar to that in front of me now.  I bought it
at Radio Shack to see how it worked.  I still have the device in the
box because it is worthless for most situations. (I should have
returned it!)  It's item 278-785, "Ethernet 10 Base-T Computer Network
Cable Splitter."  Radio Shack provides the wiring diagram. [0]  A
search for the part number reveals other people found it to be
worthless too.

Alternative solutions are listed here. [1]   

The problem with these systems is the lack of signal regeneration. 
Without power you will have a weaker signal.  Over distance you will
lose frames.

I would not use anything like this in production.  Even a powered hub
is a better solution than this device.  This unpowered splitter is
essentially the same as the do-it-yourself "taps" that are
unfortunately documented elsewhere. [2]

Sincerely,

Richard
http://www.taosecurity.com

[0] http://support.radioshack.com/support_supplies/doc66/66324.pdf
[1] http://www.duxcw.com/digest/Reviews/Network/ats/index.html
[2] http://www.snort.org/docs/tap/




More information about the Snort-users mailing list