Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Passive Network Taps - on the cheap
From: Richard Bejtlich <taosecurity () gmail com>
Date: Mon, 13 Feb 2006 14:31:21 -0500
On 2/13/06, Packet Man <packetman () altsec info> wrote:


I've finally finished a major upgrade to my work on
construction and use of passive network taps.

Granted, the best tap is a commercial tap.  But, a
home-built passive network tap can be used quite
successfully to monitor network traffic.

The original paper on construction, with minor
modifications:

http://www.altsec.info/passive-network-tap.html

The new paper on using the tap, with recent test
lab results:

http://www.altsec.info/pnt-sensor-data.html

Anyone who is interested, please feel free to
have a look.  For any comments, suggestions, or
corrections, please see the papers for contact
information.

Just my way of saying thanks for all the great
information I get in this list.  I hope my many
hours of testing and research benefits someone.

Mark



Mark,

You mention "ZERO network degradation" for your last two tables, but
it seems you are only looking at TX and RX errors between the parties
exchanging traffic.  How do you measure the number of packets captured
by the sensor?

For example, study 3 lists workstation having 174739 "Total Packets"
(TX + RX), but the sensor has 112686 "Rx packets".  Does this mean
174739-112686=62053 packets (35%) were not seen by the sensor?

Also, in your first doc you say:

"Granted, you could very well use switch ports to aggregate the signal
from the PNT's tap jacks, or maybe even a hub (haven't tried). "

Connecting tap outputs to a hub makes a great collision factory, not a
way to combine tap outputs. [0]. [1]

Sincerely,

Richard

[0] http://taosecurity.blogspot.com/2005/12/taps-and-hubs-never-ever-mix-ive.html
[1] http://taosecurity.blogspot.com/2005/12/taps-and-hubs-part-deux-yesterday-i.html

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]