Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Ethernet Tap

From: "Altrock, Jens" <Jens.Altrock () STADT-NW DE>
Date: Fri, 16 Apr 2004 14:46:10 +0200
First thanks for the answers, and sorry for another dumb question. :-/
I thought about that this thing isn't working that way, but there is
anyway a problem concerning that two port solution. I'd need a software that
reassembles the network traffic in a way right? For I need both lines 
(TX and RX) to analyze "special" or more complex attacks. So is there any
affordable software that does that? Or is there any solution for that 
problem?

Regards,

Jens Altrock

-----Ursprüngliche Nachricht-----
Von: Matt Kettler [mailto:mkettler () evi-inc com]
Gesendet: Donnerstag, 15. April 2004 20:18
An: Altrock, Jens; Snort-Users (E-Mail)
Betreff: Re: [Snort-users] Ethernet Tap


At 11:13 AM 4/15/2004, Altrock, Jens wrote:

I am searching for a possibility of constructing an ethernet tap, but not
like the one found on the snort website
where I need to attach two network cards to inspect the whole traffic, but
one using one port for a full
duplex line. Is that possible and does anyone have some links concerning
this topic? Would be nice.


In short, you can't do such a bi-directonal tap into a single ethenet port 
in a simple way. Such a tap cannot be done in a passive manner and must be 
a buffered system with memory, and have a lot of electronics.. It would be 
much cheaper to spend the money on a manageable switch with span port 
capability.


Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec 
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that 
just by soldering a few wires together.

The simple cheap passive tap is simple and cheap because it relies on the 
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port 
pretty easily. So you just dump the inbound into one port, the outbound 
into another. Poof, instant passive tap, but it requires 2 ethernet cards.
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: