Snort mailing list archives
Re: SPAN groups and network taps
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 21 May 2009 11:12:36 -0600
Typically how are people setting up their snort machines with network taps? One tap per link you want to monitor into one NIC on the snort machine? Any recommendations on hardware and techniques to accomplish tapping 4 1GB links into one Snort sensor, minimizing the amount of NICs required on the snort sensor? ________________________________ From: David Thomason [mailto:david () thomasontech com] Sent: May 21, 2009 9:39 AM To: Jefferson, Shawn Cc: David Thomason; snort-users () lists sourceforge net Subject: Re: [Snort-users] SPAN groups and network taps That is two per switch. You can have a total of two full duplex, (RX/TX) SPAN ports per switch or four half duplex, (2 x RX only + 2 x TX only) SPAN ports. David Thomason Thomason Technologies, LLC On May 21, 2009, at 10:51 AM, Jefferson, Shawn wrote: Hi, So when you say two full duplex span ports, does that mean two full duplex SOURCE ports, and is that two per switch, or per span group? I have 4 ports that I want to mirror to one port that snort watches-currently that only one of those ports is setup as full duplex, the others are received traffic only. The total aggregated bandwidth is less than 1GB for the four ports. Depending on whether the 6500 can actually support more than 2 full duplex span ports per switch will change what I'll need in the way of network taps/port aggregator devices, I think. ________________________________ From: David Thomason [mailto:david () thomasontech com] Sent: May 20, 2009 5:51 PM To: Jefferson, Shawn Cc: David Thomason Subject: Re: [Snort-users] SPAN groups and network taps Sean, I'm not an expert when it comes to Cisco, but I do know that the 6500 can support two full duplex span ports. As far as limitations, that really depends on how much traffic you are sending to SPAN port. It is possible to overflow a 1G Span port with more than 1G of data. In this case the switch starts dropping packets to the Span port. The span port gets the lowest priority of service, but overflowing the SPAN port can impact performance on the entire switch. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SPAN groups and network taps Jefferson, Shawn (May 20)
- Message not available
- Re: SPAN groups and network taps Jefferson, Shawn (May 21)
- Message not available
- Re: SPAN groups and network taps Jefferson, Shawn (May 21)
- Re: SPAN groups and network taps Jefferson, Shawn (May 21)
- Message not available