Snort mailing list archives
AW: Ethernet Tap
From: "Altrock, Jens" <Jens.Altrock () STADT-NW DE>
Date: Fri, 16 Apr 2004 14:46:10 +0200
First thanks for the answers, and sorry for another dumb question. :-/ I thought about that this thing isn't working that way, but there is anyway a problem concerning that two port solution. I'd need a software that reassembles the network traffic in a way right? For I need both lines (TX and RX) to analyze "special" or more complex attacks. So is there any affordable software that does that? Or is there any solution for that problem? Regards, Jens Altrock -----Ursprüngliche Nachricht----- Von: Matt Kettler [mailto:mkettler () evi-inc com] Gesendet: Donnerstag, 15. April 2004 20:18 An: Altrock, Jens; Snort-Users (E-Mail) Betreff: Re: [Snort-users] Ethernet Tap At 11:13 AM 4/15/2004, Altrock, Jens wrote:
I am searching for a possibility of constructing an ethernet tap, but not like the one found on the snort website where I need to attach two network cards to inspect the whole traffic, but one using one port for a full duplex line. Is that possible and does anyone have some links concerning this topic? Would be nice.
In short, you can't do such a bi-directonal tap into a single ethenet port in a simple way. Such a tap cannot be done in a passive manner and must be a buffered system with memory, and have a lot of electronics.. It would be much cheaper to spend the money on a manageable switch with span port capability. Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that just by soldering a few wires together. The simple cheap passive tap is simple and cheap because it relies on the fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port pretty easily. So you just dump the inbound into one port, the outbound into another. Poof, instant passive tap, but it requires 2 ethernet cards. ########################################### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Ethernet Tap Altrock, Jens (Apr 16)
- Re: AW: Ethernet Tap Matt Kettler (Apr 16)