Network taps for IDS

Greg Francis
Thu Nov 8 17:01:19 GMT 2001

I'm setting up a permanent Snort IDS and I would like to tap into various
parts of the network that lie between the routers and switches. Currently, I
mirror the inbound switch port to dump the traffic to the IDS box. However,
since we can only mirror a port to one other port, we'd have to disable the
mirror periodically to do diagnostics and sometimes it doesn't get switched
back. It also adds overhead to the switch that I would rather avoid.

What I'm wondering is if there is a splitter or tap that you can put on a
CAT5 connection (both 10 and 100 Mbps) that would alleviate the need for me
to mirror one of the ports. I've thought about putting a hub in between the
two switches but that doesn't sound very appealing as a long-term solution.

It can't do anything to degrade performance, increase hop counts, etc.

I want to do this at multiple points in the network. All of the equipment is
CAT5 and in secure locations.

Any solutions out there?


Greg Francis
Sr. System Administrator
Gonzaga University
francis at

