[Snort-users] Snort on switched network

Gadrow, Jim jgadrow at ...3548...
Tue Oct 9 13:59:12 EDT 2001

Hi Erik,

Just a quick comment on your reply to Ashley, please correct me if I'm
wrong... The tap used as you suggest will not show you the traffic between
hosts on the switch, just the traffic between this switch and other devices.
So if I have a 10.1.x.x switch and a 10.2.x.x switch, I can read traffic
from 10.1.x.x <-> 10.2.x.x, but not 10.1.x.x <-> 10.1.x.x or 10.2.x.x <->

AFAIK, the only way to watch all of it would be to tap ALL ports, or use a
host-based IDS. It actually might work if you tap at least 1 port on each
blade of the switches as well. When I use promiscuous mode on a port on a
switch, I only see traffic on that particular blade. Not sure how
promiscuous mode might work using the tap though...

If that's not true or if there's a better way, let me know because I'm in
that exact situation.


-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, October 09, 2001 2:25 PM
To: Ashley Thomas
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort on switched network

On Tue, 9 Oct 2001, Ashley Thomas wrote:

> It is a bad idea to run Snort (or any IDS for that matter) on a switched
> network, am i right ?
> Are there any work arounds ?

No, it's not a 'bad thing', you just may not get what you expect.  Switches
manitain a list of MAC addresses and what port they are connected to on the
switch.  They only send traffic destined for that MAC down that port.  In
other words, you usually can't sniff all the traffic.

Workarounds?  Well, if your switch has a port designed for monitoring, or
can configure spanning (some Ciscos) or port mirroring you'll see all of the
traffic.  If that's not possible, then drop about $400 on a Shomiti tap.
can place that in front of the switch and get the same results as

Hope that helps!

Erek Adams

More information about the Snort-users mailing list