Snort mailing list archives
RE: Ethernet Tap
From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net>
Date: Fri, 13 Aug 2004 14:44:08 -0500
im new at snort and thought i had it setup right. i have snort with 3 interface cards and have 2 cisco fasthub 400 series where i have 1 tied to a span port(100 full) off a cat400 for mirroring a router port on one vlan. i have 1 snort interface plugged into this hub at 100 full. should i be setting the span port for the hub at 100 half instead of 100 full? what about the snort interface, 100 half or full? the other hub is setup like the first but is span a different router on a different vlan wt -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Kettler Sent: Friday, August 13, 2004 2:15 PM To: STEVE MAKOUSKY; snort-users () lists sourceforge net Subject: Re: [Snort-users] Ethernet Tap At 02:31 PM 8/13/2004, STEVE MAKOUSKY wrote:
Has anyone had any luck using the tap that is described in the Doc area?
I've not used that particular tap, but looking at it the tap should work correctly.
Is there any instructions out there for building a full duplex tap?
A full-duplex single-port tap, by it's very nature, is going to have to contain a considerable amount of electronics, and cannot be a passive device. You can't funnel two 100mbit streams into a single 100mbit port without some packet buffering, re-ordering, etc, so it's going to have to have onboard memory, etc. I'd suggest buying a managed switch with a span port, it's much easier and cheaper than trying this route, or try the interface bonding trick mentioned below.
If not is it easy enough to start snort on two nics and log to the same database and handle packet reconstruction that way????
Actually, rather than try to sniff two interfaces, most people create a bonded interface that combines the two, and run snort on that. Recent versions of Linux and *BSD support interface bonding in the kernel. ie: http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ethernet Tap STEVE MAKOUSKY (Aug 13)
- Re: Ethernet Tap Frank Knobbe (Aug 13)
- Re: Ethernet Tap Craig Paterson (Aug 13)
- Re: Ethernet Tap Frank Knobbe (Aug 13)
- Re: Ethernet Tap Craig Paterson (Aug 13)
- Re: Ethernet Tap Matt Kettler (Aug 13)
- <Possible follow-ups>
- Re: Ethernet Tap TKaroutsos (Aug 13)
- Re: Ethernet Tap Matt Kettler (Aug 13)
- RE: Ethernet Tap Turnquist,Wayne (Aug 13)
- Message not available
- RE: Ethernet Tap Matt Kettler (Aug 13)
- Message not available
- Re: Ethernet Tap Frank Knobbe (Aug 13)
- Re: Ethernet Tap TKaroutsos (Aug 13)
- Re: Ethernet Tap Matt Kettler (Aug 13)
- Re: Ethernet Tap Bill Parker (Aug 13)