Snort mailing list archives
When is a hub not a hub? (AuthReply)
From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Tue, 5 Jun 2001 18:54:50 -0500
Hi - Jonathan again - back with some results of my informal hub survey. Here's what I have learned: * * * General Information * * * Cisco switches (and others?) can be set to repeat traffic received on and sent on specific ports to certain other ports. (This process is called "spanning".) If you span all your ports, you can in theory collect all the traffic passing through the switch. In practice you are limited by an aggregate switch traffic level which will exceed the speed of the monitoring port at a certain point. Certain "smart hubs" allow you to set up a "promiscuous" or "mirror" port to which all traffic going through the device is repeated. "Auto-Sensing" hubs are like a 10Mb and 100Mb hub with a bridge/switch between. All the 100Mb devices are on one segment, all the 10MB on another. Using SNORT to monitor both 10Mb and 100Mb network segments from the same hub may indeed be difficult because to keep the 100Mb side from swamping the 10Mb side, the hub needs to perform some degreee of MAC learning and filtering. Many hubs do things above and beyond wire swapping when you plug into their "uplink" ports - try using a plain old crossover cable to bypass the uplink port if you have problems. * * * Product Recommendations * * * The Cabletron MR9T hub allows someone to hook up to 8 SNORT sensors (9 total ports) to the device. The Netgear DS108 hub ($70?) is an auto-sensing, repeating hub and works great with SNORT. Newer LinkSys "Workgroup Hubs" (the blue ones) are really switched and DO NOT work well with SNORT. Older LinkSys "Workgroup Hubs" (the grey ones with the orange arrow) are really repeating hubs and work great with SNORT if you use a crossover cable to bypass the uplink port. * * * My Solution To The Original Problem * * * Here's the network picture: ----Hub#1(OK)-----(network I want to monitor) | LinkSys / | \ SNORT SNORT SNORT (original problem) I purchased a new (and cheap - $40) LinkSys hub for my new SNORT sensor array. I unplugged the cable from my existing SNORT sensor and plugged it back into the uplink port of my new hub. Then I plugged in my old SNORT sensor and a couple of its twins to the hub. IP traffic flowed very well, but no SNORT sensor could see the traffic to/from any other SNORT sensor or the traffic from the network I really wanted to monitor. At this point I knew someone was switching. (solution) I found an older LinkSys hub in my office and replaced the new one with the old one. At this point the various SNORTS could see each other but still couldn't see traffic on the rest of my network. Finally I cut a crossover cable and bypassed the older LinkSys hub's uplink port. Now everything worked as advertised. (...and before you ask, the entire network was always 100% 100Mb and I made no changes at any point to the network I wanted to monitor or Hub#1.) * * * Thanks to... * * * Ron T., Colin W., John L., Paul H., Jonah K., Eric B., Ryan R., Nelson R. * * * Posted by... * * * Jonathan G. Lampe, Standard Networks, Inc., jonathan () stdnet com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- When is a hub not a hub? (AuthReply) Jonathan G. Lampe (Jun 05)
- Re: When is a hub not a hub? (AuthReply) Ryan Russell (Jun 05)
- Re: When is a hub not a hub? (AuthReply) Dan Hollis (Jun 05)
- Re: When is a hub not a hub? (AuthReply) Chris Green (Jun 07)
- Re: When is a hub not a hub? (AuthReply) Dan Hollis (Jun 05)
- <Possible follow-ups>
- Re: When is a hub not a hub? (AuthReply) Dan Hollis (Jun 06)
- Re: When is a hub not a hub? (AuthReply) Dan Hollis (Jun 06)
- RE: When is a hub not a hub? (AuthReply) Graeme Fowler (Jun 07)
- Re: When is a hub not a hub? (AuthReply) Ryan Russell (Jun 05)