Re: Ethernet tap vs. spanned port

From: Jeff Kell (jeff-kell@utc.edu)
Date: 08/07/02


Date: Wed, 07 Aug 2002 00:40:11 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: Kyle Ginney <kyleginney@boydgaming.com>

Kyle Ginney wrote:

> My problem arose recently when we were testing the eTrust IDS from CA.
> Their product only runs on Windows, so I installed it on a Win2K server
> and connected a monitoring port to another port on the same Ethernet tap.
> I then had both IDS running off of the same Ethernet tap with the
> monitoring port on both boxes running in stealth mode. When we looked at
> the data on the eTrust server, it was only capturing the packet headers -
> no data. When their techs called home, they were informed that this was a
> problem originating at the tap and we should move the monitoring port to a
> spanned port. When we did this, their sensor picked up the full packet
> payload.

One guess would be your network architecture. If a hub is involved,
you may be getting runt packets due to collisions. If a switch, you
need to know if its architecture is cut-through, fragment-free, or
store-and-forward. With the first, you will get runts as well. With
the second, you'll at least get a header intact. Only the latter will
guarantee no error propagation.

It also depends on how "raw" your NIC card will go. Even in promiscuous
mode, some NICs/drivers silently discard error packets and/or payloads
with TCP checksums enabled.

But that is just a wild guess, your mileage may vary :-)

Jeff