Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux and switch problem???

From: Jim Burwell <jimb () broadvision com>
Date: Fri, 19 Jul 2002 13:22:52 -0700
Hrm.  I'm curious about your comments below twig.
I'm using a Cisco 3548XL to monitor traffic to/from a router with snort using the 'port monitor' (spanning) facility. I'm monitoring only a single port. I'm using a port adjecent to the port I'm monitoring as the monitor port in the hope that the traffic I monitor will stay within the same ASIC. But that's really just wishful thinking, since I don't know exactly what's involved as far as CPU/bus/backplane with port monitoring on this switch. I figure the traffic is either staying within the same ASIC (good), or the CPU of the switch is getting involved and copying the packets itself (not very good).
So far I havn't noticed a decrease in performance, or any other adverse effects using port monitor on this switch. Any potential problems I should know about in spanning these switches ? What could get one "in trouble" doing this ? 

Tia,
- Jim

twig les wrote:


What kind of switch?  What did you change in the
sewitch config for this project?  What else is the
Linux box doing?  Simply putting an interface into
promiscious mode can't affect a switch.  If you've
spanned a Cisco 29xx or 35xx, then you may be in
trouble, but make sure you aren't being scapegoated. That's happened to me before ("Your sniffer is slowing 
the network down!!" <huh?>)


--- Daniel Curry <dcurry () corio com> wrote:


    I have configure my eth1 as following.
eth1      Link encap:Ethernet  HWaddr
00:50:8B:E3:99:7C UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 
         RX packets:0 errors:0 dropped:0 overruns:0
frame:0
         TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0xc000 

However I am getting reports from our network folks
that "this is bringing the switch down?" 


 My ifcg-eth1 file looks like this.
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
Is there anything wrong with my configuration? 
Please reply directly. I received snort email via
"digest" mode.

Thank you.
--
Daniel Curry
PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5 C83E
8C92> begin:vcard 
n:Curry;Daniel
tel;fax:650-232-3200
tel;work:650-232-4006
x-mozilla-html:FALSE
url:www.corio.com
org:Corio Inc
adr:;;959 Skyway Road  Suite 100;San
Carlos;California;94070;USA
version:2.1
email;internet:dcurry () corio com
title:Sr. Information Security Eng.
x-mozilla-cpt:;-5312
fn:Daniel Curry
end:vcard




=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: