Snort mailing list archives
RE: Hub not a hub
From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Wed, 6 Jun 2001 10:39:07 +0100
I *have* to correct this (mainly because it's totally incorrect :o) - on most good switches, the uplink port is usually just a faster port (100 as opposed to 10, 1gig as opposed to 100) and it works just like any other switch port - only traffic for the MAC addresses specified goes out of it. You can nominate uplink ports as "all unknown" on some switches, which will turn off MAC learning on the uplink port and then send all unknown traffic out that port, but that won't work here - the MAC address of the snorted boxen will be learnt on whatever port you plug into, or not if it's the uplink port but then it won't be forwarded. The best bet with switches is to use a real monitor port, or put static MAC address entries for the monitored boxen on multiple ports - we used to use the latter, but we're on a span port now for ease of configuration. Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Mike Johnson [mailto:mike () enoch org] Sent: 06 June 2001 02:33 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Hub not a hub Just to chime in on this topic, remember that anything with an uplink port will repeat all traffic through that port. So, any traffic that goes through any of the ports will be repeated through that port, switch or no. So, plug your snort box in there, and you'll get to see all your traffic. Er, at least, in my experience. Gotta have the disclaimer. Mike -- If at first you don't succeed, destroy all evidence that you tried -- unknown _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hub not a hub Eric Budke (Jun 05)
- Re: Hub not a hub Ryan Russell (Jun 05)
- Re: Hub not a hub Mike Johnson (Jun 05)
- <Possible follow-ups>
- RE: Hub not a hub Mayers, Philip J (Jun 06)
- Is there a complete PORT list online? ®}§ÓµØ (Jun 06)
- Re: Hub not a hub Ryan Russell (Jun 05)