When is a hub not a hub? (AuthReply)

["Jonathan G. Lampe" <jonathan () stdnet com>]

Hi - Jonathan again - back with some results of my informal hub survey.
Here's what I have learned:

* * * General Information * * *

Cisco switches (and others?) can be set to repeat traffic received on and
sent on specific ports to certain other ports.  (This process is called
"spanning".)  If you span all your ports, you can in theory collect all the
traffic passing through the switch.  In practice you are limited by an
aggregate switch traffic level which will exceed the speed of the monitoring
port at a certain point.

Certain "smart hubs" allow you to set up a "promiscuous" or "mirror" port to
which all traffic going through the device is repeated.

"Auto-Sensing" hubs are like a 10Mb and 100Mb hub with a bridge/switch
between.  All the 100Mb devices are on one segment, all the 10MB on another.
Using SNORT to monitor both 10Mb and 100Mb network segments from the same
hub may indeed be difficult because to keep the 100Mb side from swamping the
10Mb side, the hub needs to perform some degreee of MAC learning and
filtering.

Many hubs do things above and beyond wire swapping when you plug into their
"uplink" ports - try using a plain old crossover cable to bypass the uplink
port if you have problems.

* * * Product Recommendations * * *

The Cabletron MR9T hub allows someone to hook up to 8 SNORT sensors (9 total
ports) to the device.

The Netgear DS108 hub ($70?) is an auto-sensing, repeating hub and works
great with SNORT.

Newer LinkSys "Workgroup Hubs" (the blue ones) are really switched and DO
NOT work well with SNORT.  Older LinkSys "Workgroup Hubs" (the grey ones
with the orange arrow) are really repeating hubs and work great with SNORT
if you use a crossover cable to bypass the uplink port.

* * * My Solution To The Original Problem * * *

Here's the network picture:
----Hub#1(OK)-----(network I want to monitor)
       |
     LinkSys
   /    |    \
SNORT SNORT SNORT

(original problem)

I purchased a new (and cheap - $40) LinkSys hub for my new SNORT sensor
array.  I unplugged the cable from my existing SNORT sensor and plugged it
back into the uplink port of my new hub.  Then I plugged in my old SNORT
sensor and a couple of its twins to the hub.  IP traffic flowed very well,
but no SNORT sensor could see the traffic to/from any other SNORT sensor or
the traffic from the network I really wanted to monitor.  At this point I
knew someone was switching.

(solution)

I found an older LinkSys hub in my office and replaced the new one with the
old one.  At this point the various SNORTS could see each other but still
couldn't see traffic on the rest of my network.  Finally I cut a crossover
cable and bypassed the older LinkSys hub's uplink port.  Now everything
worked as advertised.

(...and before you ask, the entire network was always 100% 100Mb and I made
no changes at any point to the network I wanted to monitor or Hub#1.)

* * * Thanks to... * * *
Ron T., Colin W., John L., Paul H., Jonah K., Eric B., Ryan R., Nelson R.

* * * Posted by... * * *
Jonathan G. Lampe, Standard Networks, Inc., jonathan () stdnet com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users