Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tap question

From: Erek Adams <erek () snort org>
Date: Thu, 30 Jan 2003 14:33:54 -0500 (EST)
On Thu, 30 Jan 2003, Mike Shaw wrote:


I'm evaluating a move from span ports to taps this year, and I've been
looking at these:

http://www.netoptics.com/10-100-tap.html

It looks like in order to do this I will need two nics to effectively
monitor a network: one for incoming packets and one for outgoing.  Is this
correct?  (if this is covered in a prior post or FAQ, please slap me down
and I'll look it up)


Have a look at the IDS deployment guides:

        http://www.snort.org/docs/#deploy

Taps usually split the ether stream into two streams.  One is TX and the
other is RX.  You will need two nics to be able to really deal with that.
If you're on a Linux 2.4+ kernel you should be able to use the bonding
patches (http://bonding.sf.net), if on *BSD you should be able to use
bridging, and if on Solaris--I think!--you could use trunking (Sun
software) to combine the two streams into one.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: