Re: Taps and 10/100 hubs

[Bamm Visscher <bamm.visscher () gmail com>]

The intelligent bridge is between 10MB and 100MB traffic.  Since your
IDS nic is 100MB, it will never see the 10MB traffic being sent to the
hub (unless your nic can be forced down to 10MB). Even if you can
force the nic to negotiate down to 10MB, every time you see that
collision light on the hub go blinky-blink, another packet will be
lost to /dev/null, never to be seen again (and since the router/switch
passed the packet on w/o problems, don't expect a retransmit). On the
positive side, your perf stats will rock ;)

My suggestion would be to take that hub (or better yet get the 10MB
only version EN104TP) and put it between the switch and router, and
sniff the traffic that way.

Bammkkkk

On Wed, 25 Aug 2004 15:56:55 -0600, Mike Lieberman <mike () netwright net> wrote:
> We are still working out how we will deploying our first IDS server. In all
> the scenarios discussed, I didn't see the following:
>
> Using the passive tap documented in http://www.snort.org/docs/tap/
>
> Router <----------------[passive tap]------>switch
> (10Mb,Half-Duplex)    [host, A, B, Host]
>                             /   \
>                            /     \
>                           /       \
>                          /         \
>        (10Mb,Half-Duplex)           (10Mb,Half-Duplex)
>                         \           /
>                          \         /
>                           \       /
>                            \     /
>                             \   /
>                        Hub [4 PORT 10/100]
>                     [example, NETGEAR DS104]
>                               |
>                               |
>                            100Mb NIC
>                              Snort
>
> Netgear claims the hub has an "intelligent bridge automatically manages
> network traffic..." since two half-duplex feeds are going into the hub and
> the IDS is connected via a 100Mb NIC, doesn't that solve to a significant
> extent the collission problem? Since we would only be monitoring the
> bandwith coming to and from the router at 10Mb hald-duplex, I don't see
> where we get into buffer issues.
>
> Since I can't believe I have this right, what am I missing?

-- 
http://sguil.sf.net


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users