[Snort-users] [Fwd: Snort on a switched network ?]

Andrew.Zielinski at ...1252... Andrew.Zielinski at ...1252...
Mon Mar 12 09:12:03 EST 2001

Thank you, but I did resolve the issue. I had a port setup for monitoring,
it mirrored the ports that I wanted to monitor. What we did not realise is
that it was setup to monitor in one direction only. i.e we were monitoring
traffic going out of the mirrored ports, what we needed is to monitor
traffic coming into the mirrored ports.

Andrew Zielinski
----- Forwarded by Andrew Zielinski/IT Corp/BBBY on 03/12/2001 08:49 AM
                    Brian Little                                                                              
                    <winzig at ...530...>                    To:                                                  
                    Sent by:                             cc:     snort-users                                  
                    snort-users-admin at ...635...        <snort-users at lists.sourceforge.net>                  
                    eforge.net                           Subject:     Re: [Snort-users] [Fwd: Snort on a      
                                                         switched network ?]                                  
                    03/12/2001 08:22 AM                                                                       
                    Please respond to winzig                                                                  

Typically, you won't be able to view all of the network traffic on any
given port of a Switch.  Unless, the port that you are connected to is
enabled as a monitoring port. Hence the name Switch. The switch keeps an
ARP table of all of the hosts that are attached directly to it on the
wire.  It then will only pass/switch packets to it's hosts that it is
responsilble for.

This is a crude explanation but hopefully it helps.


Martin Roesch wrote:
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> Subject: Snort on a switched network ?
> Date: Wed, 7 Mar 2001 15:37:53 -0500
> From: Andrew.Zielinski at ...1252...
> To: snort-users-admin at lists.sourceforge.net
> I'm running Snort on a switched network, previously I tested it on a net
> with a dumb hub and it worked fine. On the switched net, which is a DMZ
> Rail, I'm mirroring all the port. Problem is I only seem to be getting
> the traffic coming out of the mirrored port, which I don't care about.
> not picking up traffic going into the ports, has anyone ever seen this
> problem?
> Andrew Zielinski

Brian Little
winzig at ...530... http://members.home.com/winzig
IM winzig40
"The best way to destroy an enemy is to make him your friend." Abe

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list