IDS mailing list archives

Re: about mirroring port

From: "Joe Magee" <lists () joemagee com>
Date: Thu, 20 Mar 2003 02:36:18 -0500

also keep in mind port mirroring on a switch for the most part isn't
perfect. I've read many places over time that if the switch's CPU
gets heavily loaded it will randomly drop packets on the mirrored
ports. Higher end switches may work better. Also when talking to
cisco a couple years ago, I was trying to do something similar,


In practice, some of the higher end switches yielded the same results.

was trying to mirror ports that were uplinked to other switches,
not directly connected to systems, and the switch(2900xl for me
at the time) does not support mirroring in such a way(which was
prooven to me by the lack of traffic on the mirrored ports),
according to the cisco rep I talked to. not sure if higher end
switches are differnet. I have a summit 48 here but haven't tried
port mirroring on it.


For low bandwidth applications using a standard L2 switches "SPAN" port feature may work. For multiple simultaneous 
copies of traffic take a look at the Top Layer IDS Balancer. It's a very mature product. I used it in my previous jobs 
for doing both balancing, making multiple simultaneous copies of traffic, and splicing off applications.

For more on the topic check out: http://www.joemagee.com/filez/Why%20not%20use%20a%20switch.pdf

1. when I setup the mirroring port,all traffic(for example, port2 traffic)
 would transfer like this or just copy the traffic mirroring port too?

 (1) client --> mirroring port1 --> port 2
 (2) client --> port 2
            --> mirroring port (copy too)


I think it usually just copies the traffic on the switch itself.


2. Is there any problem when I set snort at mirroring port if the traffic
is so high(over 100~200M)?


depends on the traffic. my last employer I had 2 snort sensors on
2 T1s averaging ~5% utilization. And running a full blown untuned snort
got me more then 40,000 events per hour. Spending dozens of hours
analyzing and tuning got it down to ~30 events/hour.

3. do you know any commands to setup mirroring port at catalyst 400x(catos
 based) switch?


not off the top of my head, been a while since I tried port mirroring
on a switch.

nate


Joe Magee
http://www.joemagee.com

-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

Current thread:

about mirroring port SB CH (Mar 18)
- Re: about mirroring port nate (Mar 18)
- RE: about mirroring port Rob Shein (Mar 18)
- Re: about mirroring port Karel Chwistek (Mar 23)
- <Possible follow-ups>
- Re: about mirroring port Joe Magee (Mar 23)
  - Re: about mirroring port Dejan Markovic (Mar 26)
- RE: about mirroring port David Vertie (Mar 23)