Ethernet splitters
Peter Van Epp
vanepp at sfu.ca
Fri Jul 30 17:58:49 EDT 1999
>
> Greetings,
>
> I use both the passive hub and mirrored port solutions in my current network
> monitoring. Unfortunately, solutions that work for low speed half duplex
> links
> have problems at higher speeds with full duplex.
>
Which (although I obviously didn't explain it very clearly since I
got a query via private email too) is why the Shomiti box is so attractive.
It connects inline to the link but provides a probably buffered (because there
is a power supply involved which presumably there wouldn't be if it was
completely passive) receive data port for each of the transmit and receive
pairs on the passthrough port pair so that full duplex works (i.e. the full
doubled bandwith can be accomadated if your sniffer can handle it or you have
two NIC cards in your IDS). It is rated 10/100 and I intend on using it on a
100 link so I can report how it really works when I get it if desired.
A desirable side benefit is that no matter what the IDS or monitor
host transmits, because there are no transmit wires on the monitor port, no
one hears anything the monitor host says. That precludes a breakin from the
Internet side from letting your IDS be used against you (of course a breakin
from the control connection to your presumably secured inside network is
still a serious problem).
More information about the argus
mailing list