Re: [fw-wiz] Sniffing on switched network

[Roelof JT Jonkman <roel () SiliconDefense com>]

Pierre,

.. snip

>    As far as the Suparstack are concerned, it seems it can only to this for
> one port (and not for all ports of the switch), and the "monitored" port and
> the "analyzing" one must be on the same physical switch.

.. snip

Correct, you can only tie the 'Roving Analysis Port' (3com speak for port 
mirroring) to one port, and not the backplane. 

The solution is to make sure you pick the port that is the egress/ingress of
the switch, so you see all the traffic that is coming and going, however
your situation is far more complicated due to the stacking, and as such
you can really only observe the ingress/egress of the entire stack.

>    Has anyone of you met this kind of need/switches config ? How did you solve
> it (other than changing switches to hub, which could be done in a last resort
> but I would prefer not to touch the physical components if possible) ?
>    Thanks,

The best solution is to tie the Roving Analysis Port to the port
that uplinks to the router/firewall, that way you catch any of the traffic
that is inbound/outbound at least. Another slight variation is to break the
stack, and use a regular 100BaseT connection between the two sub stacks, and 
tie the roving analysis port to that. (Segregate the systems that you want
to monitor specifically with respect to the systems on the other stack.)

Another thing on these boxes is to keep firmware up to date, they have
quite a few quirks, particularly with regard to Multicast traffic.

Hope this helps you a little.....

Roel Jonkman
http://www.SiliconDefense.com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users