Re: Hub not a hub

[Ryan Russell <ryan () securityfocus com>]

On Tue, 5 Jun 2001, Eric Budke wrote:

> My impression (and I haven't written down brand names in the past) is that
> most of the 10/100 hubs do this minor bit of switching.

There must be a bridge between the two different speeds.  These are
usually two repeated segements with a 2 port bridge in-between.  In order
to keep the 100Mb side from swamping the 10Mb side, they are smart
bridges, meaning they will do the MAC learning and filtering, so you wont'
be able to monitor the traffic on one segment from the other.

> I've blamed it on
> the 10/100ness of it. Most all 10M hubs I've used do the bridging. And I
> don't have anything straight 100M which I would assume would bridge as well.

You can find straight 10 or 100 repeaters, they're just less common now.
Anything that mixes the two, or is labelled "switch" will have a bridging
feature which will interfere with Snort monitoring to some degree.

                                Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users