Snort mailing list archives
Re: Can anyone recommend an ethernet tap?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 06 Oct 2004 11:31:26 -0400
At 06:24 AM 10/6/2004, Martin Olsson wrote:
I want to buy an ethernet tap where snort will listen.
A----Tap----B
|
Sniffer
Criteria:
* 100Mbps
* full duplex (not a hub then)
* the throughput between A and B should be almost the same as using a
X-patch cable
* the sniffer port should see both directions of the traffic (if A and B
generate more than 100Mbps together, start dropping packets), I do not
want two sniffer ports where one see A->B and the other B->A, I just
want one port that mirror B<->B
Maybe the sniffer-port could be 1Gbps, then packets wouldn't have to be
dropped, but I guess that the price of a gigabit tap is far more than a
100Mbps one...
With those criteria.. get a managed switch put it in-line and create a span port. It's the only practical way to combine up a full-duplex link as a tap. You'll add some latency, but overall throughput should be unharmed.
Either that or get a passive tap *AND* a managed switch. This will reduce latency, and the link will stay up even if the switch dies. However, overall throughput should be the same either way.
Some lower-cost switches with enough management to have port mirroring capabilities (I've not tested any of these, but they are a list I had handy) :
Cisco WS-C2950-12 12 ports $650 Dlink DES-3226L 24+ 2gig ports $300 dlink DES-1226G 24 +2 gig ports $230All are available at CDW, and those prices are round-numbers from prices I got off CDW's website last week.
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can anyone recommend an ethernet tap? Martin Olsson (Oct 06)
- RE: Can anyone recommend an ethernet tap? Eric Hines (Oct 06)
- RE: Can anyone recommend an ethernet tap? Martin Olsson (Oct 06)
- Re: Can anyone recommend an ethernet tap? Chris Green (Oct 06)
- Re: Can anyone recommend an ethernet tap? Sp0ng3b0b (Oct 06)
- Re: Can anyone recommend an ethernet tap? Matt Kettler (Oct 06)
- Re: Can anyone recommend an ethernet tap? Scot Wiedenfeld (Oct 14)
- RE: Can anyone recommend an ethernet tap? Eric Hines (Oct 06)