[Snort-users] Hub not a hub

Mayers, Philip J p.mayers at ...1913...
Wed Jun 6 05:39:07 EDT 2001

I *have* to correct this (mainly because it's totally incorrect :o) - on
most good switches, the uplink port is usually just a faster port (100 as
opposed to 10, 1gig as opposed to 100) and it works just like any other
switch port - only traffic for the MAC addresses specified goes out of it.

You can nominate uplink ports as "all unknown" on some switches, which will
turn off MAC learning on the uplink port and then send all unknown traffic
out that port, but that won't work here - the MAC address of the snorted
boxen will be learnt on whatever port you plug into, or not if it's the
uplink port but then it won't be forwarded.

The best bet with switches is to use a real monitor port, or put static MAC
address entries for the monitored boxen on multiple ports - we used to use
the latter, but we're on a span port now for ease of configuration.


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

-----Original Message-----
From: Mike Johnson [mailto:mike at ...874...]
Sent: 06 June 2001 02:33
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Hub not a hub

Just to chime in on this topic, remember that anything with an
uplink port will repeat all traffic through that port.  So, any
traffic that goes through any of the ports will be repeated
through that port, switch or no. So, plug your snort box in
there, and you'll get to see all your traffic.

Er, at least, in my experience.  Gotta have the disclaimer.

If at first you don't succeed, destroy all evidence that you tried --

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list