Snort mailing list archives
Re: [Snort-Users] Is it really a HUB?
From: kenw () kmsi net
Date: Fri, 28 Nov 2003 09:50:19 -0700
On Wed, 26 Nov 2003 13:50:35 -0600, you wrote:
If it is really autosensing port speed it is a multiport bridge (switch?). If it is a single speed device with shared bandwidth across all active ports it is a repeater (hub?). I have no idea where the terms hub and switch fit into the IEEE 802.x standards, I suspect about the same place telco switches and marketing fit.
In terms of Ethernet (802.3) and ISO protocol layers: A hub is a multiport repeater: layer 1. A switch is a multiport bridge: layer 2. See below.
Thanks, Charlie ...Darryl Luff wrote:It works as you say. Except that if your station never transmits anything, the switch will not learn your MAC, and will flood all traffic addressed TO YOU out all ports. [snip]Thanks... Right, that was the very thought that hit me in the head the other night as I pondered the issues further. The router with the spanned port talks to a small handful of other routers; the only MAC addresses seen coming in to the hub from that port will therefore be those of the other routers, all of which will make their way into the hub's MAC table. Thus, within a few seconds or so, the small hub will not send anything to the IDS because it knows that the source and destination MACs all reside on the port connected to the router's spanned port; ergo, there is no need to copy the packets to any of its (the hub's) other ports. Bugger. I guess I need to find somebody that makes a small 4-port switch where one can configure a port as a promiscuous listening interface. Kris
You don't want an expensive switch; you want a cheap hub. A dual-speed hub is fine; you just have to be careful about the speed of your snorter's NIC v/s the other ports on the hub. So long as they are the same, you'll see all traffic. For Ethernet, there are switches, single-speed hubs, and dual-speed hubs. Switches are essentially multi-port bridges, with each port on a separate bridge interface, regardless of whether that port is running either speed. Bridges are layer-2 devices that understand and remember MAC addresses; they forward packets only to the appropriate network segments. Single-speed hubs are just multiport layer-1 repeaters; from the ethernet viewpoint, all ports are in a single collision domain, and all ports see all packets. Hubs don't deal with MAC addresses at all -- they just pass all packets, errors and all. Most dual-speed hubs are actually two hubs in one (one for each speed) with a single bridge (two-port switch) between the two hubs. Thus they are a combination of layer-1 and layer-2 hardware. Auto-sensing dual-speed hubs (which most are) automatically connect each port to one internal hub or the other depending on its speed. This means that all ports of one speed are connected to the same internal hub, and every port will see all traffic to/from all other ports running at the same speed. Now: If a normal dual-speed hub, connected to the router's spanned port, has its sniffer/snorter port running at the same speed as the spanned port, it will see all traffic issuing to/from that port. Period. All the time. No MAC address filtering. No special switch required. BTW, my understanding of the term "spanned" port refers to a port used to monitor traffic on other ports of the same device (usually a switch). I may have missed something: are you trying to set up multiple devices to analyse the same traffic coming through that spanned port? Otherwise, would you mind explaining what your "spanned" port does? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw () kmsi net www.kmsi.net ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-Users] Is it really a HUB? Finney Charles E (Nov 26)
- Re: [Snort-Users] Is it really a HUB? kenw (Nov 28)
- OT but security related - world wide VPN /dev/null (Nov 28)
- Re: [Snort-Users] Is it really a HUB? kenw (Nov 28)