Snort mailing list archives

RE: Cisco Catalyst - SNORT

From: Jeff Nathan <jeff () snort org>
Date: Thu, 26 Jun 2003 18:21:20 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did some math to see for myself whether or not I would buy into the idea 
of there being no performance penalty.

The inter-frame delay for gigabit Ethernet is 96 nanoseconds (10 ^ -9), or 
0.000000096 seconds.

The minimum frame data size in 802.3 is still 46 bytes, even though Alteon 
and others desperately want jumbo frames.  Jumbo frames are meaningless in 
full-duplex operation, btw.

What does an Ethernet frame REALLY look like?  Like this:  7 byte preamble, 
1 byte start of frame delimiter, 14 byte Ethernet header, data (if less 
than 46 bytes, padding is used), padding (to bring frame data up to 46 
bytes), 4 byte CRC.

1 gigabit = 1 billion bits per second, or 125 million bytes per second.

125 million * 0.000000096 = 12 bytes (tada! the same as 10 Mb/sec and 
100Mb/sec )

Let's all this all up:

(this format is borrowed from Gorry Fairhurst)
http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/enet-calc.htm

Inter frame gap (96 nanoseconds): 12 bytes
Mac Preamble + SFD:                8 bytes
Ethernet Header:                  14 bytes
Minimum data size:                46 bytes
CRC:                               4 bytes
- -------------------------------------------
Total:                            84 bytes


Data rate (1 billion bits/sec) / total frame size (bits)

1000000000 / (84 * 8) = 1488095

One point four million frames per second... that's a whole lotta frames.

But wait, it gets better.  Imagine having to copy that many frames from an 
ordinary switch port to a SPAN port.  Two point eight million frames per 
second!

I'm sure some Ethernet switches mirror traffic very well, but upon further 
investigation I believe it would be stretching the truth to say there is no 
performance degradation in doing so.

- -Jeff

- --On Monday, June 23, 2003 10:35 -0500 Tinsley Paul 
<Paul.Tinsley () HCAhealthcare com> wrote:

I recently asked this question of Cisco in reference to vlan mirroring to
a gig fiber port on a 6509 and they said there should be no performance
degredation as it's all done "in hardware."

-----Original Message-----
From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo () attla com]
Sent: Monday, June 23, 2003 10:15 AM
To: 'javier () liendo net'
Cc: 'Snort-users () lists sourceforge net'; Rochas, Esteban - (Ext Arg)
Subject: RE: [Snort-users] Cisco Catalyst - SNORT

Thanks Javier,
Could will be any performance problem configuring SPAN port in a switch
with high traffic ?
Regards,
jose

-----Mensaje original-----
De: Javier Liendo [mailto:javier () liendo net]
Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m.
Para: Falvo, Jose Luis - (Arg); 'Snort-users () lists sourceforge net'
Asunto: Re: [Snort-users] Cisco Catalyst - SNORT

hello jose

you'll have to configure the switch port where you are
plugging the snort device as a "span" port...

pls take a look at the following link to see how you
can configure it on a 6000 series catalyst switch...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfi
g/s pan.htm

also in my experience, if you configure a switch port
as span then you can not pass any management traffic
through that port so you will have to add another
network card and plug it to another switch port if you
want to manage this device remotely...

saludos

javier

--- "Falvo, Jose Luis - (Arg)" <Jose.Falvo () attla com>
wrote:

Hi All,
I'm probing Snort in our network. Snort was
installed and its run correctly.
Our problem is that snort only listen packet unicast
to snort IP or any
broadcast packet of VLAN where its was connected.
Questions is:

In a Cisco Catalyst 8540 or Calalyst 6509, which is
configuration port for
SNORT listen all packet of the VLAN?

Regards and thanks,


Jose Luis Falvo
Dpto. Ingeniería
AT&T Latin America
Tel. (54 11) 5288-0182
 Olga Cosentini  1031 - Cap Fed

Buenos Aires - Argentina

Este mensaje es confidencial. El mismo contiene
información reservada
y que no puede ser difundida. Si usted ha recibido
este e-mail
por error, por favor avísenos inmediatamente vía
e-mail y tenga la
amabilidad de eliminarlo de su sistema; no deberá
copiar el mensaje
ni divulgar su contenido a ninguna persona. Muchas
gracias.

This message is confidential. It contains
information that is privileged and
legally exempt from disclosure. If you have received
this e-mail by mistake,

please let us know immediately by e-mail and delete
it from your system;
you should also not copy the message nor disclose
its contents to anyone.
Thank You.

-------------------------------------------------------

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An
INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10%
Monthly Commission!
INetU Dedicated Managed Hosting
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users
Este mensaje es confidencial. El mismo contiene información reservada
y que no puede ser difundida. Si usted ha recibido este e-mail
por error, por favor avísenos inmediatamente vía e-mail y tenga la
amabilidad de eliminarlo de su sistema; no deberá copiar el mensaje
ni divulgar su contenido a ninguna persona. Muchas gracias.

This message is confidential. It contains information that is privileged
and legally exempt from disclosure. If you have received this e-mail by
mistake,

please let us know immediately by e-mail and delete it from your system;
you should also not copy the message nor disclose its contents to anyone.
Thank You.



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD4DBQE++5wQEqr8+Gkj0/0RArFZAJdxctcCOPoeP37FUvefEInFCoyAAJ9Jp2Tf
90b0FSH52u7nzgDraY9Osw==
=thJq
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
  - Re: Cisco Catalyst - SNORT Scott Fringer (Jun 23)
- <Possible follow-ups>
- RE: Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- RE: Cisco Catalyst - SNORT Tinsley Paul (Jun 23)
  - RE: Cisco Catalyst - SNORT twig les (Jun 23)
    - RE: Cisco Catalyst - SNORT shannong (Jun 24)
  - RE: Cisco Catalyst - SNORT Jeff Nathan (Jun 26)
    - snort + 802.11 management frames ... Jon Baer (Jun 26)
    - Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
    - Re: Cisco Catalyst - SNORT Rich Adamson (Jun 27)
    - Re[2]: Cisco Catalyst - SNORT Lukasz Bromirski (Jun 27)
    - Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
    - Foundry performance? (was "Re: Cisco Catalyst - SNORT") twig les (Jun 27)
    - Re: Foundry performance? (was "Re: Cisco Catalyst - SNORT") Roy S. Rapoport (Jun 28)
    - OT: Re: Foundry performance? Chris Green (Jun 30)
    - Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
    - Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)

(Thread continues...)