IDS mailing list archives
Re: Critical Tap Device vs Homebrew Tap
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 2 Feb 2004 21:53:00 -0800 (PST)
Hello, I posted a response to a thread like this to snort-users last month: http://www.mcabee.org/lists/snort-users/Jan-04/msg00197.html When you buy a tap you are buying a piece of networking infrastructure suitable for serving customers in a reliable manner. When you build your own device you are acting more like an amateur radio operator who creates gear for personal use. (Amateur radio operator here -- no flames please.) Homebrew "taps" may suffer these problems: 1. No signal regeneration. There is no such thing as an "Ethernet Y cable." If you're "copying" the signal elsewhere you're not sending as much electricity where it needs to go to support communication. This is not as big an issue over short distances, but longer cable lengths increase your risk of line errors and ultimately line failure. Professional taps like those made by www.netoptics.com offer two power supplies, showing the importance of signal regeneration. (Even if both power supplies fail, the tap keeps passing packets -- although monitoring ends when the power does.) 2. Poor line quality. UTP supports Ethernet because the cable is twisted in a specific manner to reduce crosstalk. When you untwist too much to wire your homebrew device the line quality decreases. 3. Auto-negotiation or communication failure. Some devices may not like the signal or lack of signal present in homebrew devices. If you think a homebrew device is a good idea, why not install a hub? Taps are good because they preserve full-duplex links. (They also show low-level errors, unlike SPAN ports.) If you can't afford a tap, you may find a $50 Netgear 10/100 hub is good enough to meet your needs. In a pinch I've used 10/100 hubs on 40+ Mbps links with an acceptable level of collisions. Taps like the new NetOptics port aggregator also help solve the "two output" problem. This new tap provides 1 MB RAM for each TX line to deal with traffic bursts exceeding 100 Mbps, unlike a competitor's product which "handles" the issue by dropping packets from the start. http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1 Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Critical Tap Device vs Homebrew Tap jose b. chua (Feb 02)
- <Possible follow-ups>
- Re: Critical Tap Device vs Homebrew Tap Richard Bejtlich (Feb 02)
- RE: Critical Tap Device vs Homebrew Tap jose b. chua (Feb 05)