Snort mailing list archives
Re: Hub recommendations
From: Rich Adamson <radamson () routers com>
Date: Wed, 1 Dec 2004 11:07:32 -0600
I have 3 separate SPAN ports on Cisco switches feeding traffic to a soho Netgear 8 port hub, which I then connect to my IDS as well as other network analysis boxes. I'm having a problem where one of my SPAN ports gets errDisabled because of too many collisions coming back from the hub. This isn't a big surprise because the hub is now seeing an average of 5000 packets per sec.
Dump the hub approach and go get another cisco switch. Even an old Cisco 2924XML has the capability of multiple port mirrors; use all the time. And before the anti-cisco bigots jump in, one still needs to consider the volume of traffic expected through the mirror/span as it is not that hard to generate more traffic then what the sniffing port can handle. E.g., if you mirror a 100 meg full duplex port to another 100 meg port (where snort resides as an example), that 100 meg full duplex mirrored port is fully capable of trying to jam 200 meg of data down that snort port (which obviously can't handle it, dropping packets); do that with three mirrored ports and you're approaching 600 meg being jammed down the throat of a 100 meg snort port. One really needs to think in terms of what the maximum instantanous traffic might be (knowing full well that layer-2 switches have only very minimum buffers), regardless of which company manufacturered the switch. As a side note, placing a hub in the middle of a high volume ethernet link will create a significant preformance hit. Lots of well documented studies (from the last 15 years) will tell you that a half-duplex (hub) port is limited to about 25% utilitization before performance is truly impacted, whereas full duplex switch ports are truly capable of operating at 95+% utilization before performance becomes an issue. Rich ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Rich Adamson (Dec 01)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Shane Williams (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 02)
- RE: Hub recommendations Joe Patterson (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Rich Adamson (Dec 01)
- <Possible follow-ups>
- Re: Hub recommendations Richard Bejtlich (Dec 01)
- RE: Hub recommendations Basselgia, Barry A Mr (NAF Atsugi) (Dec 02)
- RE: Hub recommendations Shane Williams (Dec 03)