Re: Taps, Rx Only Cables & Hubs - Which one(s)?

[Matt Kettler <mkettler () evi-inc com>]

At 09:49 AM 6/8/2004, Jim Richards wrote:
> I made my own tap via:  http://www.snort.org/docs/tap/
>
> It says it can be used on any hub or switch and any OS.  But, I get no 
> link on the Snort box and no data coming in.  According to the mail list 
> archives, I need to add the Rx only cable...after diagraming it out with 
> the tap, basically it would mean just tying pins 1&2 on the Snort NIC together:

No, you don't need a Rx only cable with the TAP... however, you MUST have 
two connections to in from your snort box, or you won't get link.



> Firewall ------  Tap  -------  Switch to Network
>                     |
>                   Snort


Really that picture should look like

Firewall ------  Tap  -------  Switch to Network
                    | |
                  Snort

where there are two cables coming to snort from the tap. See the "tap A" 
and "tap B" ports? that's not two taps.. that's one tap. After all, how can 
one passively tap full-duplex 100mbit/sec traffic with one port?

The tap works in such a way that "Tap A" sees all the traffic from the 
firewall side, "Tap B" sees all the traffic from the switch side. Feed them 
into separate NICs in your snort box, and use bonding to bond the two nics 
into a single virtual interface that snort can sniff.



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users