IDS mailing list archives

Re: Critical Tap Device vs Homebrew Tap

From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 2 Feb 2004 21:53:00 -0800 (PST)

Hello,

I posted a response to a thread like this to
snort-users last month:

http://www.mcabee.org/lists/snort-users/Jan-04/msg00197.html

When you buy a tap you are buying a piece of
networking infrastructure suitable for serving
customers in a reliable manner. When you build your
own device you are acting more like an amateur radio
operator who creates gear for personal use. (Amateur
radio operator here -- no flames please.)

Homebrew "taps" may suffer these problems:

1. No signal regeneration. There is no such thing as
an "Ethernet Y cable." If you're "copying" the signal
elsewhere you're not sending as much electricity where
it needs to go to support communication. This is not
as big an issue over short distances, but longer cable
lengths increase your risk of line errors and
ultimately line failure. Professional taps like those
made by www.netoptics.com offer two power supplies,
showing the importance of signal regeneration. (Even
if both power supplies fail, the tap keeps passing
packets -- although monitoring ends when the power
does.)

2. Poor line quality. UTP supports Ethernet because
the cable is twisted in a specific manner to reduce
crosstalk. When you untwist too much to wire your
homebrew device the line quality decreases.

3. Auto-negotiation or communication failure. Some
devices may not like the signal or lack of signal
present in homebrew devices.

If you think a homebrew device is a good idea, why not
install a hub? Taps are good because they preserve
full-duplex links. (They also show low-level errors,
unlike SPAN ports.) If you can't afford a tap, you
may find a $50 Netgear 10/100 hub is good enough to
meet your needs. In a pinch I've used 10/100 hubs on
40+ Mbps links with an acceptable level of collisions.

Taps like the new NetOptics port aggregator also help
solve the "two output" problem. This new tap provides
1 MB RAM for each TX line to deal with traffic bursts
exceeding 100 Mbps, unlike a competitor's product
which "handles" the issue by dropping packets from the
start.

http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1

Sincerely,

Richard Bejtlich
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

Critical Tap Device vs Homebrew Tap jose b. chua (Feb 02)
- <Possible follow-ups>
- Re: Critical Tap Device vs Homebrew Tap Richard Bejtlich (Feb 02)
  - RE: Critical Tap Device vs Homebrew Tap jose b. chua (Feb 05)