Snort mailing list archives

Re: A question about taps

From: Ted Kaczmarek <tedkaz () optonline net>
Date: Fri, 16 Sep 2005 10:15:17 -0400

On Fri, 2005-09-16 at 14:45 +0100, Brett, Gary wrote:

Hi there

Just a quick question, I have in my possession a simple little plastic tap
(basically a little adapter type thing that has 3 RJ48 ports on it, it is
not a powered device just a little internally wired adapter). After testing
it, it does exactly what a tap should do and outputs all traffic it receives
on any of the 3 ports to all the other ports.

My question is this, from reading snort mailing list archives and FAQ's,
people are suggesting that one should invest in a more complex, powered unit
e.g. Shomiti, Finisar and Netoptics etc costing many hundreds of dollars in
some cases. I would just like to know why my little plastic $5 gizmo is not
on that list of recommended items ? Is there something my gizmo does or does
not do that makes it a bad choice for a SNORT NIDS (even in my small test
environment). I would really like to know


Any help on this would be greatly appreciated
Gary

The cheaper stuff will be dropping Ethernet frames. As far as using it
for test, you can use tcpdump on the nodes to correlate what is sent
versus received if you suspect frames are being dropped. The taps you
mentioned are are all "Commercial Grade", not critical for a testing
setup, but definitely for a production setup. You will also see huge
performance differences depending on the nic card the snort box is
using, but this is mostly an issue with gigabit today, most of the
server class 100 mbit cards should not have any issues with good
drivers.

Regards,
Ted



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A question about taps Brett, Gary (Sep 16)
- Re: A question about taps Ted Kaczmarek (Sep 16)
- Re: A question about taps Joel Esler (Sep 16)
  - Re: A question about taps Eric Hines (Sep 16)
- Re: A question about taps Eric Hines (Sep 16)
- <Possible follow-ups>
- Re: A question about taps Richard Bejtlich (Sep 16)
- RE: A question about taps Brett, Gary (Sep 16)
  - RE: A question about taps Eric Hines (Sep 16)