Snort mailing list archives

Re[2]: Cisco Catalyst - SNORT

From: Lukasz Bromirski <lbromirski () mr0vka eu org>
Date: Fri, 27 Jun 2003 22:23:36 +0200

Hello,

RA> Most  current  switches  have  either 8 or 16 port chip sets.

That's quite correct.

RA> Someone  is  likely  to say that Cisco's mirroring (as an example only)
RA> functions  at  wire  speeds  even  on  gig  ports,  when  in fact their
RA> experience  involved other unknown conditions (such as port 1 to port 4
RA> on the same chip set) for which they have little/no real knowledge.

Well, the Catalyst 2950 and 3550 boxes for example do SPAN with wire-speed,
regardless  of  which  port  is  actually  source  port,  and  which one is
destination port. However, Cisco states clearly, that highly oversubscribed
destination  port  can slow down source ports - which is logical because it
come  down  to  buffers  capacity.  With  Snort  installations  the  highly
oversubscribed  situation  can  surface  quite  easily  (one  port sniffing
traffic other 23 or 47 ones for example).

RA> There  are  many  switches  on the market today that will do wire speed
RA> mirroring  on adjacent gig ports, but may drop packets between ports on
RA> different  chip  sets or differnet blades.

Indeed. It's just a question of detailed documentation available (including
some architectural details), which most of the off-the-shelf switches lack.

Just my 0,05PLN

-- 
Łukasz Bromirski                                lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc                   http://mr0vka.eu.org
PGP finger               5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Cisco Catalyst - SNORT, (continued)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
  - Re: Cisco Catalyst - SNORT Scott Fringer (Jun 23)
- RE: Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- RE: Cisco Catalyst - SNORT Tinsley Paul (Jun 23)
  - RE: Cisco Catalyst - SNORT twig les (Jun 23)
    - RE: Cisco Catalyst - SNORT shannong (Jun 24)
  - RE: Cisco Catalyst - SNORT Jeff Nathan (Jun 26)
    - snort + 802.11 management frames ... Jon Baer (Jun 26)
    - Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
    - Re: Cisco Catalyst - SNORT Rich Adamson (Jun 27)
    - Re[2]: Cisco Catalyst - SNORT Lukasz Bromirski (Jun 27)
    - Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
    - Foundry performance? (was "Re: Cisco Catalyst - SNORT") twig les (Jun 27)
    - Re: Foundry performance? (was "Re: Cisco Catalyst - SNORT") Roy S. Rapoport (Jun 28)
    - OT: Re: Foundry performance? Chris Green (Jun 30)
    - Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
    - Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
    - RE: Cisco Catalyst - SNORT Mike Feetham (Jun 27)