Honeypots mailing list archives

Re: reassemble data from TAP

From: Kyle Maxwell <krmaxwell () gmail com>
Date: Thu, 14 Oct 2004 17:27:46 -0500

On Thu, 14 Oct 2004 10:17:09 +0600, Vladislav V. Myasnyankin
<mvv () kazna ru> wrote:

I want to use Snort (on Linux box)  to analyze network flow to/from
honeynet. But I have some restrictions, especially I can use only Single TAP
(http://www.securicore.ca/critical_taps/singletap/ ) to connect sensors. This
mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx
pair). I am not sure, if Snort will work well in these conditions, because
each sensor can analyze only half of the stream.
Is there any software solution for Linux to "restore" full stream, direct it
to some pseudo-NIC, then "connect" snort to this pseudo-NIC?


Look around for "Linux channel bonding" and "interface aggregation";
that lets you aggregate multiple physical interfaces into one virtual
interface. Then point your IDS, sniffer, or whatever at the new
virtual interface.

-- 
Kyle Maxwell
[krmaxwell () gmail com]

Current thread:

Honeywall running on SPARC? Lefti (Oct 13)
- Re: Honeywall running on SPARC? Patrick McCarty (Oct 13)
- reassemble data from TAP Vladislav V. Myasnyankin (Oct 14)
  - Re: reassemble data from TAP Richard Windmann (Oct 14)
  - Re: reassemble data from TAP ADT (Oct 14)
  - Re: reassemble data from TAP Kyle Maxwell (Oct 14)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 15)
  - Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)
    - Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 18)