[unisog] Network taps for IDS

Peter Van Epp vanepp at sfu.ca
Fri Nov 9 17:25:34 GMT 2001

	I looked at this option before buying Shomiti Century taps. Its not
to bad on 10, a monostable can provide the heartbeat pulse to fool link. The
100 is the problem because the RX PLL wants to see TX signal to sync up. There
is also the issue of maintaining the appropriate twists on the Cat5 at 100
while arranging the split. It probably could be done, but the Century tap 
(which already does it and only needs money :-)) made a lot more sense for
me. I've heard the same issue affects Gig on optical taps (i.e. a straight 
optical splitter isn't enough to make the tap port work) but I don't yet have
a gig capable analyser to try on my splitters and see.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> You can always do creative cabling on CAT5(e).  Split the two pairs for
> each connection onto two separate plugs and use two hubs: one for
> incoming traffic and one for outbound.  Of course in some cases you may
> need to somehow balance the missing pair so that the hub doesn't think
> it has a link fault, but that's probably just A Small Matter Of
> Wiring.
> Jeff Anderson-Lee
> Systems Manager, Digital Library Project
> ERL, University of California at Berkeley
> Re:
>  :From:  Peter Van Epp <vanepp at sfu.ca>
>  :To:  unisog at sans.org
>  :Subject:  Re: [unisog] Network taps for IDS
>  :Date:  Fri, 9 Nov 2001 07:29:29 -0800 (PST)
>  :
>  :> 
>  :> On Thu, Nov 08, 2001 at 03:38:49PM -0600, John Kristoff wrote:
>  :> 
>  :> > If you have a shared hub, you can put the mirrored port to it, then on
>  :> 
>  :> Not only that, but if you have it going to a shared hub, you *will*
>  :> find times when you are glad to be able to have other things plugged
>  :> into it....  argus.. IDS.... sniffer...
>  :> 
>  :
>  :	The downside to this (as opposed to a tap) is of course that the 
>  :hub forces the connection in to half duplex and thus cuts performance 
>  :substantially. The taps are capable of operating full duplex (as long as your
>  :monitor is of course).
>  :
>  :Peter Van Epp / Operations and Technical Support 
>  :Simon Fraser University, Burnaby, B.C. Canada
>  :

More information about the unisog mailing list