From: Altrock, Jens (Jens.AltrockSTADT-NW.DE)
Date: Fri Apr 16 2004 - 07:46:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First thanks for the answers, and sorry for another dumb question. :-/
I thought about that this thing isn't working that way, but there is
anyway a problem concerning that two port solution. I'd need a software that
reassembles the network traffic in a way right? For I need both lines
(TX and RX) to analyze "special" or more complex attacks. So is there any
affordable software that does that? Or is there any solution for that
problem?

Regards,

Jens Altrock

-----Ursprüngliche Nachricht-----
Von: Matt Kettler [mailto:mkettlerevi-inc.com]
Gesendet: Donnerstag, 15. April 2004 20:18
An: Altrock, Jens; Snort-Users (E-Mail)
Betreff: Re: [Snort-users] Ethernet Tap

At 11:13 AM 4/15/2004, Altrock, Jens wrote:
>I am searching for a possibility of constructing an ethernet tap, but not
>like the one found on the snort website
>where I need to attach two network cards to inspect the whole traffic, but
>one using one port for a full
>duplex line. Is that possible and does anyone have some links concerning
>this topic? Would be nice.

In short, you can't do such a bi-directonal tap into a single ethenet port
in a simple way. Such a tap cannot be done in a passive manner and must be
a buffered system with memory, and have a lot of electronics.. It would be
much cheaper to spend the money on a manageable switch with span port
capability.

Think about it. You want to feed 100mbit/sec outbound AND 100mbit/sec
inbound into a single 100mbit/sec ethernet port. Sorry, you can't do that
just by soldering a few wires together.

The simple cheap passive tap is simple and cheap because it relies on the
fact that you can feed a single 100mbit/sec stream into a 100mbit/sec port
pretty easily. So you just dump the inbound into one port, the outbound
into another. Poof, instant passive tap, but it requires 2 ethernet cards.
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&opick
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]