RE: Ethernet Tap

[Matt Kettler <mkettler () evi-inc com>]

At 03:44 PM 8/13/2004, Turnquist,Wayne wrote:
> im new at snort and thought i had it setup right.
>
> i have snort with 3 interface cards and have 2 cisco fasthub 400 series 
> where i have 1 tied to a span port(100 full) off a cat400 for mirroring a 
> router port on one vlan. i have 1 snort interface plugged into this hub at 
> 100 full.
>
> should i be setting the span port for the hub at 100 half instead of 100 full?
> what about the snort interface, 100 half or full?

Set the span port and the snort interface to the SAME duplex.. preferably 
full if both support it. However, if your snort box never sends anything 
out the sniffing interface (ie: you don't use flexresp), then duplex is 
more-or-less irrelevant, as all the traffic is going one way all the time. 
In this scenario half works as well as full, but I'd still set both for the 
same duplex, whatever you do.


However, none of this has much to do with the original discussion, which is 
about passive taps. Passive taps are very different than what you are 
doing, so don't get confused by the discussion of bonding interfaces as 
pertains to them. (Passive taps are typically used to avoid inserting a 
managed switch or hub)







-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users