Snort mailing list archives
Re: Home-made ethernet TAP
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 19 Aug 2003 03:28:33 +0000
On Tue, 2003-08-19 at 02:59, Nicholas Bachmann wrote:
[...] The drawback is that you would need to combine the traffic flow. Using two NICs like you have would work, using a buffered switch might be another approach. ABut if you use a swich, wouldn't the packets not be forwarded, since the L2 forwarding table of the switch wouldn't have the sensor's MAC, and the sensor wouldn't respond to an ARP request?
Good catch. Yeah, I think I was having 'span port' in my mind. A cheap Linksys switch wouldn't be able to aggregate the packets, afaik. A switch with monitor/span port would be necessary for the reason you cite (actually, the reason is that the packets aren't even directed at the sensor, so the switch has no reason to pass it on to sensor. But that's what you mean I think). Thanks, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Home-made ethernet TAP Ryan B. Lynch (Aug 18)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 18)
- Re: Home-made ethernet TAP Nicholas Bachmann (Aug 19)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 18)
- Re: Home-made ethernet TAP Nicholas Bachmann (Aug 19)
- Re: Home-made ethernet TAP Scot Scot (Aug 18)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 19)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 18)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 19)
- Re: Home-made ethernet TAP Frank Knobbe (Aug 18)