I had a similar problem and ended up buying the proper tap. I would highly recommend it for layer 1 problems (ones which the switch filters out for you). Within 30 seconds of installing the tap we had figured out a problem that had been plaguing us for months.
I would be very wary of the cheap version of the tap shown on the snort page, it breaks the ethernet standard and could seriously degrade your connection. I might try it for a test, but would not recommend putting it on a critical link. The reason is that with a standard ethernet cable you have your cable impedance matched to terminators on each end (in 10-base 2 the terminators were obvious as you had to connect them manually, in 10/100/1000-base T the connectors are in the form of a very small transformer on the network card (or in the hub/switch) itself (usually a small plastic box-like component)) The network tap on the snort page will result in three 'terminators' being connected with a star-point in the middle, this can cause signal degradation and reflections which could seriously degrade your network performance.
On the other hand, since they are publishing it on a snort website, they must have tried it with at least some success, and so the problems may be more theoretical in most circumstances. But even so, I would strongly advise not putting it inline across a critical link.
If you were to try it, I would suggest keeping all the cable lengths to the absolute shortest possible.
As for having two lines to capture (one for each direction of the duplex link) I used two Netcards in the same PC, with two instances of ethereal doing the capturing. The results can either be viewed in two separate ethereal windows (my preference) or they can be merged with the "mergecap" utility that comes with ethereal and viewed in a single ethereal window.
The other thing I found useful was to use two NICs for capturing that keep statistics of errors (CRC, Late Collisions, runts, etc) as using a network tap, you will be able to see all of these. If you are going to buy the tap, it won't cost much more to get a couple of decent NICs. Or you can look at the error counters on your switches.
Hope this helps.
GC
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx]On Behalf Of Guy Harris
> Sent: Thursday, 14 April 2005 05:25
> To: Ethereal user support
> Subject: Re: [Ethereal-users] looking to make passive tap
>
>
> Robert P. Britton wrote:
>
> > Does anyone have any links or documents describing how to
> make one of
> > these so that we can pick up on physical link errors?
>
> The "Capture Setup/Ethernet" page on the Ethereal Wiki:
>
> http://wiki.ethereal.com/CaptureSetup_2fEthernet
>
> has a link to "Construction and Use of a Passive Ethernet Tap" on the
> Snort Web site:
>
> http://www.snort.org/docs/tap/
>
> I have never constructed a tap, so I can't say how well those
> directions, or the taps constructed using them, work.
>
> Note that, as they say there, the tap won't give you both sides of a
> full-duplex connection on one wire; the "Capture Setup/Ethernet" page
> discusses that in the "Capture using a network tap" section.
>
> Also note that Ethereal doesn't keep statistics on low-level errors -
> packets with errors are probably dropped by the network adapter or by
> the driver, so Ethereal won't see those packets.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
EOM
NOTICE - This message and any attached files may contain information that is confidential and/or subject of legal privilege intended only for use by the intended recipient. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, be advised that you have received this message in error and that any dissemination, copying or use of this message or attachment is strictly forbidden, as is the disclosure of the information therein. If you have received this message in error please notify the sender immediately and delete the message.
