Snort mailing list archives

RE: Snort in a switched environment

From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Tue, 14 May 2002 10:41:45 -0500

The trouble with a switch is that it stores MAC address in a table for each
port and will only send data to the specific port that is the destination,
the execptions are broadcast traffic and perhaps when a new device is placed
on the network.  A way around the problem is if the switch handles port
mirroring, you can mirror traffic from selected ports to a port that you
specfiy as the monitoring port.  Check the user manual that came with the
switch to see if it supports port mirroring.

Matt

-----Original Message-----
From: Bastian Ballmann [mailto:ballmann () co-de de]
Sent: Tuesday, May 14, 2002 10:20 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort in a switched environment


Hello!
Is it possible to run Snort in a switched environment? Cause Snort can only 
sniff the traffic of the host he is running on. Unless he is doing something

like ARP poisoning or something like this...
But I think this would lead into trouble if you run the arpspoof
preprocessor 
;)
Greets

Bastian Ballmann
-- 
Bastian Ballmann [ ballmann () co-de de ]
@ Computational Design GmbH
[ http://www.co-de.de ]

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort in a switched environment Bastian Ballmann (May 14)
- Re: Snort in a switched environment Justin M. Parker (May 14)
- Re: Snort in a switched environment Erek Adams (May 14)
  - Re: Snort in a switched environment (Ignore this (Sorry, I have to make this test)) Edin Dizdarevic (May 15)
- Re: Snort in a switched environment Bruno Taranto (May 15)
- Re: Snort in a switched environment Scott McGee (May 15)
- <Possible follow-ups>
- Re: Snort in a switched environment Andrew . Zielinski (May 14)
- RE: Snort in a switched environment McCammon, Keith (May 14)
- RE: Snort in a switched environment Matt Yackley (May 14)
  - Re: Snort in a switched environment Bruno Taranto (May 15)
- RE: Snort in a switched environment counter . spy (May 14)
- Re: Snort in a switched environment Justin M. Parker (May 14)
- Re: Snort in a switched environment Scott McGee (May 14)
- RE: Snort in a switched environment Spitzer, Nathan (May 14)
- Re: Snort in a switched environment Joe Pampel (May 15)