Snort mailing list archives

RE: Passive Tap Help

From: Frank Knobbe <frank () knobbe us>
Date: Mon, 01 Dec 2003 10:02:24 -0600

On Mon, 2003-12-01 at 09:50, Frank Knobbe wrote:

For reference, pins 1 and 2 are SEND lines from a device point of view
(and RECEIVE lines into a hub/switch). Pins 3 and 6 are RECEIVE lines
from a device point of view. 

Both streams are fed from the cable into the hub (on it's RECEIVE
lines).


BTW: Keep in mind that you can probably not just tack those "tap" lines
into the other cable with a simple solder joint and run it into a third
cable segment. You will mess up the dynamics of this cable to the point
where you will probably loose data. Taps use electronics to get around
that. Three-forked cable have some interesting dynamic properties.
Reflection and resonance and such are way different and on a single
strand of wire.

So for home made stuff, I suggest one of the two (or three) read-only
cables. In theory they move the hub to the top of the drawing and use a
single munged cable to feed the IDS. The hub with its electronics will
ensure a clean "tap" into the sniffed segment.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Passive Tap Help Peters, Michael D. (Dec 01)
- Re: Passive Tap Help Frank Knobbe (Dec 01)
- <Possible follow-ups>
- RE: Passive Tap Help Peters, Michael D. (Dec 01)
  - RE: Passive Tap Help Lists (Dec 01)
  - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Lists (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Dirk Geschke (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 03)
  - Re: Passive Tap Help kenw (Dec 01)
    - Re: Passive Tap Help Jeff Nathan (Dec 01)
    - Re: Passive Tap Help Frank Knobbe (Dec 01)
    - Re: Passive Tap Help Jeff Nathan (Dec 02)