RE: Port mirroring across multiple switches

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

Without RSPAN, the only way I can think of doing it would be to connect ALL
of the switches directly to the monitoring machine (with multiple NICs).
You don't want to loop one switches's mirror back to the other's ports.  In
addition, if the mirror ports are even close to saturated with traffic, a
hub will introduce collissions and bog down the switch (and likely
eventually force it to drop data or turn off the mirroring).

I'm thinking you might be able to impliment a "routing gateway" in front of
your monitoring station... with a machine acting as a router to forward all
of the packets from every segment on to a single segment without allowing
any traffic loops.  I'm thinking it might be possible to configure a
multiport hardware router to do this, but I can't see that being the most
economical means.

Careful with network loops.  They're pesky and can be very hard to trace.  

Eric Hagen


-----Original Message-----
From: Hasnain Atique [mailto:hatique () hasnains com]
Sent: Thursday, December 04, 2003 3:23 AM
To: security-basics () securityfocus com
Subject: Port mirroring across multiple switches



What's the best approach to port mirror traffic from multiple switches?
Should I enable mirroring on one port of each switch, and then connect
those ports to a hub and put my sniffer on the same hub? 

My ultimate objective is to collect ARP query information from all
switches. 

Thanks.

-- H


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------