Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: switch-uplink?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 15 Nov 2004 15:12:42 -0500
At 01:21 PM 11/15/2004, Elmar Bschorer wrote:

hello list,

i tried to sniffer all traffic in a network-segment with my sensor.
therefore i connected the sensor to the uplink port of my netgear fs105.

i tried the following:
$ ifconfig eth0 promisc

when i run "tcpdump -i eth0" on the sensor now, i get no output.
someone any experiences with this type of switch - or am i doing
something wrong?
You don't need an uplink port. You need a true managed switch with span port capability.
An uplink port is really intended for when you want to cascade two switches into each other. Think of it as a port with a built in equivalnet of a "null modem" adapter so you can connect it to a normal switch port. This has nothing to do with what traffic goes to the port, it's just got the TX and RX pairs reversed.
If you've got an inexpensive unmanaged switch, you're mostly out-of-luck for good sniffing option without replacing the switch. In general the options for network taping are:
1) use macof to flood the switch. Free, but degrades switch performance severely and isn't 100% reliable 2) replace the switch with a 10mbps passive hub. Inexpensive, but very slow. 3) build or buy a passive tap. Cheap if you build your own, but requires 2 nics on your box and you need to bond interfaces using your OS. 4) buy a managed switch. Easy, reliable, but can be pricey (a few hundred dollars at least) 



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: