[Snort-users] A question about taps

Brett, Gary gary.brett at ...13507...
Fri Sep 16 07:52:23 EDT 2005


Thanks guys , I have a far better understanding of this now....it is indeed
a splitter that I have but it was sold to me as a tap, however from my
understanding proper taps don't allow transmitted packets from the monitor
port (which makes sense to keep your sensor "invisible" on the wire) but
this splitter sends and receives everything..

Might be ok for my test environment though

Thanks again

-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity at ...11827...] 
Sent: 16 September 2005 15:36
To: snort-users at lists.sourceforge.net
Cc: gary.brett at ...13507...
Subject: Re: [Snort-users] A question about taps

Gary Brett wrote:

> Just a quick question, I have in my possession a simple little plastic tap
> (basically a little adapter type thing that has 3 RJ48 ports on it, it is
> not a powered device just a little internally wired adapter). After
testing
> it, it does exactly what a tap should do and outputs all traffic it
receives
> on any of the 3 ports to all the other ports.

Hi Gary,

I bet I have a device similar to that in front of me now.  I bought it
at Radio Shack to see how it worked.  I still have the device in the
box because it is worthless for most situations. (I should have
returned it!)  It's item 278-785, "Ethernet 10 Base-T Computer Network
Cable Splitter."  Radio Shack provides the wiring diagram. [0]  A
search for the part number reveals other people found it to be
worthless too.

Alternative solutions are listed here. [1]   

The problem with these systems is the lack of signal regeneration. 
Without power you will have a weaker signal.  Over distance you will
lose frames.

I would not use anything like this in production.  Even a powered hub
is a better solution than this device.  This unpowered splitter is
essentially the same as the do-it-yourself "taps" that are
unfortunately documented elsewhere. [2]

Sincerely,

Richard
http://www.taosecurity.com

[0] http://support.radioshack.com/support_supplies/doc66/66324.pdf
[1] http://www.duxcw.com/digest/Reviews/Network/ats/index.html
[2] http://www.snort.org/docs/tap/




More information about the Snort-users mailing list