Ethernet splitters

Chas DiFatta chas at bwana.net
Tue Jun 29 18:31:59 EDT 1999 

If you use a Cisco switch and you wish to monitor the link that supplies all
the traffic (like to/from a router) just set up a spanning port to send
all tx/rv traffic from the router port to another port where your Argus host
resides.  We usually use a separate interface for monitoring on the Argus
host, IP addr 0.0.0.0 to keep in stealth mode.  Other switches may work,
but we're not familiar with them.  We've been able to monitor at a sustained
load of 30 Mb/s for hours with this configuration and Argus 1.8.

If you don't have a Cisco, use a 10 or 100baseT hub just in front the
router.
Since your only using two ports, i.e. router and switch, monitoring the
traffic
on a 3rd port does the trick without any degradation in traffic due to
collisions.

	...cd

> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
> Sent: Wednesday, July 28, 1999 3:44 PM
> To: nfr-users at nfr.net; argus at lists.andrew.cmu.edu
> Subject: Ethernet splitters
>
>
> 	Since this is of potential interest to both lists (although possibly
> redundant since I expect we are all on bugtraq where it
> originated) a source
> of Ethernet taps (like an optical tap but for 10/100 ethernet) to
> isolate your
> IDS from the sniffed segment. I just ordered a pair, they are a
> little pricy
> around $600 Canadian (for 10baseT could probably use a $2 dual monostable
> to create the 100 nsec pulse every 20 msec to fake link, 100 may be more
> difficult) but this is built in the case and ready to go which
> means I don't
> have to and I'm not paying ...
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> <snip>
> recreates both rx on a full duplex link, and funnels them off to
> two twisted
> pair cables respectively.  PLug these two, or as many as you want really,
> into a switch that allows port spanning/mirroring, and voila.  I've done
> this in many situations, and it works great.
>
http://www.shomiti.com

I dont work for them, I just use their stuff.

Blue

More information about the argus mailing list