Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FAQ 10/100 Hubs Block Other Speed Traffic

From: stefmit () starband net
Date: Wed, 8 Aug 2001 17:40:16 -0500
Great descriptions - just to throw in a "minor" thing: if you deal with 
full duplex on a switched port, only a tap would save you - have 
succesfully used Shomiti's ones on 100MB FD ports, and used two 
Snort instances, capturing traffic on both directions. Port mirroring 
didn't work in that case ...

Stef

On 8 Aug 2001, at 18:07, Jim Hankins wrote:



Many hubs have  different back planes, ie one for 10 one for 100.

From a definition standpoint, a hub segment whether it be 10 or 100 is
a single broadcast/collision domain.  You will not see ANY traffic
between segements without a bridge or layer3 route function between
them.

In a switched environment, typically each port is a separate collision
domain but one big broadcast domain.  VLANs can be created in some to
separate into separate broadcast domains and some have built in layer
3 functionality which basically connects a router into the backplane
so that it can route between vlans at wire speed.

Think of a switch as a bridge with many ports.  (that's what it is).  
Some switches support port mirroring or span ports.  When you want to
"sniff" frames in a switched environment (beyond just
broadcast/multicast traffic) you need to be able to "see" the unicast
traffic (telnet,http for example).  You set up a port to mirror
traffic from the ports that have the devices your interested in to the
port you have your analysis device plugged into.  Without doing so,
you don't see the unicast conversations because the traffic is getting
"switched" accross the backplane so pc on port 1 talks to server on
port 2 and no other ports get this traffic. If server on port 2
broadcasts or multicasts, the information is flooded out all ports. 
(multicast can be controlled on some switches so only those ports that
have listening stations get the traffic.  Not all switches have these
capabilities.

Hope I didn't confuse the issue or miss the point.  An excellent book
on the topic is Interconnections by Radia Perlman. (Bridges and
Routers).

Best Regards,

Jim Hankins
Systems Engineer
Cisco Systems

<snip>

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: