Re: Ethernet tap vs. spanned portFrom: Jeff Kell (firstname.lastname@example.org)
- Previous message: Maria Teigeiro: "Re: Ethernet tap vs. spanned port"
- In reply to: Kyle Ginney: "Ethernet tap vs. spanned port"
- Next in thread: Andrew Cutts: "RE: Ethernet tap vs. spanned port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 07 Aug 2002 00:40:11 -0400 From: Jeff Kell <email@example.com> To: Kyle Ginney <firstname.lastname@example.org>
Kyle Ginney wrote:
> My problem arose recently when we were testing the eTrust IDS from CA.
> Their product only runs on Windows, so I installed it on a Win2K server
> and connected a monitoring port to another port on the same Ethernet tap.
> I then had both IDS running off of the same Ethernet tap with the
> monitoring port on both boxes running in stealth mode. When we looked at
> the data on the eTrust server, it was only capturing the packet headers -
> no data. When their techs called home, they were informed that this was a
> problem originating at the tap and we should move the monitoring port to a
> spanned port. When we did this, their sensor picked up the full packet
One guess would be your network architecture. If a hub is involved,
you may be getting runt packets due to collisions. If a switch, you
need to know if its architecture is cut-through, fragment-free, or
store-and-forward. With the first, you will get runts as well. With
the second, you'll at least get a header intact. Only the latter will
guarantee no error propagation.
It also depends on how "raw" your NIC card will go. Even in promiscuous
mode, some NICs/drivers silently discard error packets and/or payloads
with TCP checksums enabled.
But that is just a wild guess, your mileage may vary :-)