[Snort-users] When is a hub not a hub?

Jonathan G. Lampe jonathan at ...2170...
Tue Jun 5 11:57:10 EDT 2001


Short Answer: When it's a switch.

I was trying to set up a SNORT sensor array (multiple SNORT sensors on
multiple machines hooked up a single hub, uplinked to a hub on the network I
wanted to monitor), but I quickly noticed none of my SNORT boxes were
getting any traffic (except broadcast traffic) from the network I wanted to
monitor.  I pulled my brand new LinkSys "hub" off the network and put a
SNORT box back on Hub#1 - saw all the traffic again.

----Hub#1(OK)-----(network I want to monitor)
       |
     LinkSys
   /    |    \
SNORT SNORT SNORT

After some experimentation I found my LinkSys "hub" was really a "switch" -
it figured out the ethernet addresses of the devices plugged into it and was
only passing packets to the correct devices - thus thwarting my efforts to
listen in on the network I wanted to monitor.

I purchased my brand new LinkSys "Etherfast 5Port 10/100 Auto-Sensing
'Workgroup' Hub W/5 RJ45 Ports" (UPC 0745883548835) from buy.com for $40 -
you'd think a cheap hub would be just a dumb repeater, but it wasn't.  So
here's what I'm looking for: (PLEASE EMAIL DIRECTLY TO jonathan at ...2170...)

Brand/Device names of currently-available "hubs" which...
...are dumb repeaters (good for SNORT sensor arrays)
...switch (bad for SNORT sensor arrays)
(Or links to or lists of places who have already compiled this list!)

If I get a good list of hubs (>10?) together, I'll repost it here, but until
then, please email any responses directly to jonathan at ...2170... to keep
this discussion board from filling up with hub chatter...;)

TIA, Jonathan Lampe, Standard Networks, Inc., jonathan at ...2170...






More information about the Snort-users mailing list