Honeypots mailing list archives

Re: reassemble data from TAP

From: ADT <synfinatic () gmail com>
Date: Thu, 14 Oct 2004 12:35:08 -0700

Look at "mergecap".  It comes with Ethereal and will merge your Rx and
Tx streams into a single pcap.

-Aaron


On Thu, 14 Oct 2004 10:17:09 +0600, Vladislav V. Myasnyankin
<mvv () kazna ru> wrote:

Hello,

I want to use Snort (on Linux box)  to analyze network flow to/from
honeynet. But I have some restrictions, especially I can use only Single TAP
(http://www.securicore.ca/critical_taps/singletap/) to connect sensors. This
mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx
pair). I am not sure, if Snort will work well in these conditions, because
each sensor can analyze only half of the stream.
Is there any software solution for Linux to "restore" full stream, direct it
to some pseudo-NIC, then "connect" snort to this pseudo-NIC?



-- 
http://synfin.net/

Current thread:

Honeywall running on SPARC? Lefti (Oct 13)
- Re: Honeywall running on SPARC? Patrick McCarty (Oct 13)
- reassemble data from TAP Vladislav V. Myasnyankin (Oct 14)
  - Re: reassemble data from TAP Richard Windmann (Oct 14)
  - Re: reassemble data from TAP ADT (Oct 14)
  - Re: reassemble data from TAP Kyle Maxwell (Oct 14)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 15)
  - Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)
    - Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 18)