Re: Is it really a HUB?

["Marc Quibell" <mquibell () fbfs com>]

I believe what I am saying is close to what you are saying. In your example,
where the MAC address is unknown, the switch will only learn the MAC address if
it is first transmitted by the computer. The MAC is then learned and kept in the
MAC table until the cache times out, if it does at all.

I'm thinking that what happens is that if a MAC is not in the cache, the switch
broadcasts the traffic. I'm thinking that it is very rare for a MAC address to
not be in a MAC table, since usually all computers must transmit something first
before receiving. What with DHCP, netbios, DNS, WINS...etc updating...etc.

Based on this, the box that is "listening" will only receive initial
MAC-broadcasts, and other switch-related traffic such as 802.1q stuff, ARP
who-has'es, not any real usable data. At least this is how I understand your
question. I hope I understand it right...

Cheese!

Marc





ktk () enterprise bidmc harvard edu on 10/28/2003 03:11:26 PM

To:   snort-users () lists sourceforge net
cc:   Marc Quibell/FBFS@FBFS

Subject:  Re: [Snort-users] Is it really a HUB?



Marc Quibell wrote:

> > as long as one keeps one's box from transmitting
> > any data, the hub/switch will not learn its MAC address, and should send
> > it everything.
>
> Actually, it will send it nothing at all....

Thanks, but that doesn't really explain what is (or is not) going on.
In particular, it still leaves questions in my head as to the ability of
plugging several of these mini switches together to add ports.  Since
they are not configurable as to network address space, they have no ARP,
merely passively listening to learn MAC addresses (typically stored in a
2K entry table) and routing based on that.  I think its algorithm is
pretty simple: when a packet arrives on some port, note the MAC address
in the table; when sending a packet to a MAC address in the table, send
directly to the port number listed; if no entry exists in the table for
the packet, send to all but the originating port.  Broadcast packets go
to all ports because no single interface sends a packet with the
wildcard ff:ff:ff:ff:ff:ff as its source MAC.  Since one can plug these
devices into a large network with more unique MAC addresses than will
fit in the table, there is no way the device could refuse to send
packets prior to learning each and every MAC.

Am I missing something here?  If so, prithee, what?

Kris







-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users