Hi. I've made a passive TAP as described on snort page, but I'm having a problem.
The link is operating well and I can sniff half of the traffic by using TapB, but when I connect the ntop machine in TapA, the interface (the same ntop ethernet nic) doesn't work. I've checked the connections and they appear to be fine. Any idea? Another question: is there a way to get both directions traffic using only one Tap, i.e., maybe using the pair 1,2 in TapB? Best regards. Wilson > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Greg > Redder > Sent: Wednesday, March 17, 2004 11:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [Ntop] plea for information > > > > > Regarding the passive TAPs designed on the snort page for use with ntop: > > We made up a whole patch panel of these to plug into our ntop machines for > monitoring. It works great. It even passes the Cat5 test on our Fluke > meter with the following caveats: > > - fails impedance test if you go through the patch panel and have > the other ports connected to the sniffer/ntop box. Sure. The signal will be split across the two wires for TDR test they use and thus will return bogus results (two returned reflections, not one). See, Mom, EE Degree did have some uses. > - takes down the connection if you plug a cable into either of the > "sniffer" ports, but don't plug it into a machine. In > other words, don't leave cables dangling out of the sniffer ports > and when you disconnect the sniffer, always do it at the patch panel! If you read the stuff on the old 10Base-T cable that used to be there, it didn't work for 100Base-T because of the (theoretical) length of the wire required to prevent cross-talk from occuring. > - requires a linux kernel that supports bonding of the ethernet cards Sure. The two taps see only 1/2 the traffic > Otherwise, it appears that the model you pay $400+ for probably has > an external power supply to solve the first two caveats listed above! ($400 - optimist. At the IT International Forum in Dallas they wanted - show special - $895, MSRP $995!) True. Or it could be that they've just put separate hubs in there for each half. > > --Greg > > > On Tue, 16 Mar 2004, Burton M. Strauss III wrote: > > > Date: Tue, 16 Mar 2004 17:40:33 -0600 > > From: Burton M. Strauss III <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: RE: [Ntop] plea for information > > > > Conceptually the right answer, but ... YMMV - even some of the > US$20 4 port > > hubs have become switching hubs - I think that it's become a commodity > > problem - there's one cheap chipset so everyone uses it kind of stuff. > > > > I use an older Linksys EFAH08W 10/100 hub, but it has to be the > v1 unit, the > > v3 is a switching hub! > > > > There's also a design @ snort.org for a passive Ethernet tap. > > http://www.snort.org/docs/tap/ It looks like it should work as > well as the > > ones sold for US$900 (although I hope those devices are more than a few > > passive wires...). But I haven't tested it. > > > > > > -----Burton _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
