RE: Passive Tap Help

[Lists <echo () beltrani com>]

On Mon, 2003-12-01 at 10:50, Frank Knobbe wrote:
> On Mon, 2003-12-01 at 09:21, Peters, Michael D. wrote:
> > http://www.snort.org/docs/100Mb_tapping1.pdf is the picture I am
> > referencing. I am looking to decipher the exact pin out of the 100Mb copper
> > tap. It looks like I would have 4 - RJ45 Ethernet jacks in the tap.
...
> Both streams are fed from the cable into the hub (on it's RECEIVE
> lines). Keep in mind that if you monitor a full-duplex connection you
> will encounter packet loss due to collisions. You either need to force
> half-duplex on your monitored connection, or use some switch that can
> guarantee buffering and reassembly of the packets.
...

It may be worth replacing the "switch/spanned port" section with a
second "sniffing interface" to the sensor.  i.e.  One interface sniffs
incomming, the other sniffs outgoing.

I haven't tried this but I expect it could resolve the collision issue
mentioned above. Also, a second NIC would most likely be cheaper and
easier to find than a switch that can be configured as required.

Would anyone with more snort experience care to comment on this? i.e.
Does this break any of the preprocessors?  What impact would it have on
performance?

  - Paul Beltrani




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users