Re: Is it really a HUB?

["Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>]

Darryl Luff wrote:

> It works as you say. Except that if your station never transmits 
> anything, the switch will not learn your MAC, and will flood all 
> traffic addressed TO YOU out all ports.  [snip]

Thanks...

Right, that was the very thought that hit me in the head the other night 
as I pondered the issues further.  The router with the spanned port 
talks to a small handful of other routers; the only MAC addresses seen 
coming in to the hub from that port will therefore be those of the other 
routers, all of which will make their way into the hub's MAC table.  
Thus, within a few seconds or so, the small hub will not send anything 
to the IDS because it knows that the source and destination MACs all 
reside on the port connected to the router's spanned port; ergo, there 
is no need to copy the packets to any of its (the hub's) other ports. 

Bugger.   I guess I need to find somebody that makes a small 4-port 
switch where one can configure a port as a promiscuous listening interface.

Kris




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users