Snort mailing list archives
Re: Taps and 10/100 hubs
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Wed, 25 Aug 2004 18:23:24 -0500
The intelligent bridge is between 10MB and 100MB traffic. Since your IDS nic is 100MB, it will never see the 10MB traffic being sent to the hub (unless your nic can be forced down to 10MB). Even if you can force the nic to negotiate down to 10MB, every time you see that collision light on the hub go blinky-blink, another packet will be lost to /dev/null, never to be seen again (and since the router/switch passed the packet on w/o problems, don't expect a retransmit). On the positive side, your perf stats will rock ;) My suggestion would be to take that hub (or better yet get the 10MB only version EN104TP) and put it between the switch and router, and sniff the traffic that way. Bammkkkk On Wed, 25 Aug 2004 15:56:55 -0600, Mike Lieberman <mike () netwright net> wrote:
We are still working out how we will deploying our first IDS server. In all the scenarios discussed, I didn't see the following: Using the passive tap documented in http://www.snort.org/docs/tap/ Router <----------------[passive tap]------>switch (10Mb,Half-Duplex) [host, A, B, Host] / \ / \ / \ / \ (10Mb,Half-Duplex) (10Mb,Half-Duplex) \ / \ / \ / \ / \ / Hub [4 PORT 10/100] [example, NETGEAR DS104] | | 100Mb NIC Snort Netgear claims the hub has an "intelligent bridge automatically manages network traffic..." since two half-duplex feeds are going into the hub and the IDS is connected via a 100Mb NIC, doesn't that solve to a significant extent the collission problem? Since we would only be monitoring the bandwith coming to and from the router at 10Mb hald-duplex, I don't see where we get into buffer issues. Since I can't believe I have this right, what am I missing?
-- http://sguil.sf.net ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Taps Paul Halliday (Aug 25)
- Re: Taps Jeff Nathan (Aug 25)
- Taps and 10/100 hubs Mike Lieberman (Aug 25)
- Re: Taps and 10/100 hubs Bamm Visscher (Aug 25)
- Re: Taps and 10/100 hubs Craig Paterson (Aug 25)
- Re: Taps and 10/100 hubs Jeff Kell (Aug 25)
- Re: Taps and 10/100 hubs Bamm Visscher (Aug 25)
- <Possible follow-ups>
- Re: Taps Richard Bejtlich (Aug 25)
- RE: Re: Taps CGhercoias (Aug 25)