RE: Span Port to Fiber Tap Problems

["larosa, vjay" <larosa_vjay () emc com>]

Mike I tried to reply directly but mail to you is bouncing, hopefully you
and some other people on the list will find this diagram helpful. I whipped
it up quick, hope it isn't to confusing.

vjl

-----Original Message-----
From: larosa, vjay 
Sent: Wednesday, October 22, 2003 12:25 AM
To: 'kudzu () tenebras com'
Subject: FW: [Snort-users] Span Port to Fiber Tap Problems


Okay, see if this makes sense to you. If not maybe we should talk on the
phone.


vjl



-----Original Message-----
From: Michael Sierchio [mailto:kudzu () tenebras com] 
Sent: Tuesday, October 21, 2003 11:06 PM
To: larosa, vjay
Subject: Re: [Snort-users] Span Port to Fiber Tap Problems

larosa, vjay wrote:
> Your fiber tap has a send and receive in one cable now. You need to split
> the cable, plug half of each side in to a small switch (Cisco 3500 XL 8
port
> gig with auto negotiation turned off) then span the two ports back in to
one
> port where you plug in your snort sensor. The Gigabit line you have snort
> plugged in now is only presenting half of the conversation to snort so
> stream4 is not allowing the packets to be processed because it is only
> seeing half of the conversation. Let me know if you need more help, I have
> this setup in several places.

vjay -

I for one do wish you'd expand a bit (got any diagrams or photos?).  I've
done copper taps, but never fiber taps, so am concerned about doing it
right and getting all the packets.

Thanks,

Michael