IDS mailing list archives
AW: IDS using Taps & network bridging
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Mon, 18 Nov 2002 08:41:24 +0100
Hi Jim, instead of network bridging I used the Channel Bundling feature of Linux. It's documented in /usr/src/linux/Documentation/net/bonding.txt. Maybe you'll give it a shot. Ciao, Sandro
Hi, I'm doing some testing to see how Taps could be implimented in my environment. I've read some information from Snort.org and other sources showing the use of taps in conjunction with a switch. I would like to eliminate the switch for the aggregation and I'm looking for ideas on how to do that. The IDS platform is snort running on Intel with Linux 2.4 Kernel. Ideas I've had so far are: 1. Hub - full duplex issues - scrapped that idea! 2. Bridged network cards - sniffing the bridged interface has been problematic. It works but there seems to be an ARP DoS - any ideas on this would be great! 3. Multi port NIC that has software to aggregate. The only solution I've found for this only has drivers for Windows. I'm open to any suggestions but I'm really interested in the network bridging. What I've done so far is: -Install 3 NICs in my box -Bridged eth1 & eth2 to br0 -started up the bridge -sniffed br0 I see mostly massive amounts of ARP traffic - any help on this would be appreciated. Regards, Jim "Life's tough - but it's a whole lot tougher when your stupid!"
Current thread:
- AW: IDS using Taps & network bridging Poppi, Sandro (Nov 19)