Security Basics mailing list archives
RE: Port mirroring across multiple switches
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Fri, 5 Dec 2003 13:09:55 -0700
Without RSPAN, the only way I can think of doing it would be to connect ALL of the switches directly to the monitoring machine (with multiple NICs). You don't want to loop one switches's mirror back to the other's ports. In addition, if the mirror ports are even close to saturated with traffic, a hub will introduce collissions and bog down the switch (and likely eventually force it to drop data or turn off the mirroring). I'm thinking you might be able to impliment a "routing gateway" in front of your monitoring station... with a machine acting as a router to forward all of the packets from every segment on to a single segment without allowing any traffic loops. I'm thinking it might be possible to configure a multiport hardware router to do this, but I can't see that being the most economical means. Careful with network loops. They're pesky and can be very hard to trace. Eric Hagen -----Original Message----- From: Hasnain Atique [mailto:hatique () hasnains com] Sent: Thursday, December 04, 2003 3:23 AM To: security-basics () securityfocus com Subject: Port mirroring across multiple switches What's the best approach to port mirror traffic from multiple switches? Should I enable mirroring on one port of each switch, and then connect those ports to a hub and put my sniffer on the same hub? My ultimate objective is to collect ARP query information from all switches. Thanks. -- H --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Port mirroring across multiple switches Hasnain Atique (Dec 04)
- Re: Port mirroring across multiple switches Peter Schawacker (Dec 04)
- RE: Port mirroring across multiple switches Hasnain Atique (Dec 05)
- RE: Port mirroring across multiple switches David Gillett (Dec 05)
- RE: Port mirroring across multiple switches Hasnain Atique (Dec 05)
- RE: Port mirroring across multiple switches Tim (Dec 05)
- <Possible follow-ups>
- RE: Port mirroring across multiple switches Thomson, Stuart A. (Dec 05)
- RE: Port mirroring across multiple switches Hagen, Eric (Dec 05)
- Re: Port mirroring across multiple switches Peter Schawacker (Dec 04)