[Snort-users] Linux and switch problem???

Jim Burwell jimb at ...6373...
Fri Jul 19 13:24:02 EDT 2002


Hrm.  I'm curious about your comments below twig.

I'm using a Cisco 3548XL to monitor traffic to/from a router with snort 
using the 'port monitor' (spanning) facility.  

I'm monitoring only a single port.  I'm using a port adjecent to the 
port I'm monitoring as the monitor port in the hope that the traffic I 
monitor will stay within the same ASIC.  But that's really just wishful 
thinking, since I don't know exactly what's involved as far as 
CPU/bus/backplane with port monitoring on this switch.  I figure the 
traffic is either staying within the same ASIC (good), or the CPU of the 
switch is getting involved and copying the packets itself (not very good).

So far I havn't noticed a decrease in performance, or any other adverse 
effects using port monitor on this switch.  Any potential problems I 
should know about in spanning these switches ?  What could get one "in 
trouble" doing this ?

Tia,
- Jim

twig les wrote:

>What kind of switch?  What did you change in the
>sewitch config for this project?  What else is the
>Linux box doing?  Simply putting an interface into
>promiscious mode can't affect a switch.  If you've
>spanned a Cisco 29xx or 35xx, then you may be in
>trouble, but make sure you aren't being scapegoated. 
>That's happened to me before ("Your sniffer is slowing
>the network down!!" <huh?>)
>
>
>--- Daniel Curry <dcurry at ...5551...> wrote:
>
>>     I have configure my eth1 as following.
>>eth1      Link encap:Ethernet  HWaddr
>>00:50:8B:E3:99:7C  
>>          UP BROADCAST RUNNING PROMISC MULTICAST 
>>MTU:1500  Metric:1
>>          RX packets:0 errors:0 dropped:0 overruns:0
>>frame:0
>>          TX packets:0 errors:0 dropped:0 overruns:0
>>carrier:0
>>          collisions:0 txqueuelen:100 
>>          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>>          Interrupt:11 Base address:0xc000 
>>
>>
>>However I am getting reports from our network folks
>>that "this is 
>>bringing the switch down?"
>>
>>
>>  My ifcg-eth1 file looks like this.
>>DEVICE=eth1
>>BOOTPROTO=static
>>ONBOOT=yes
>>
>> Is there anything wrong with my configuration? 
>>
>>Please reply directly. I received snort email via
>>"digest" mode.
>>
>>Thank you.
>>-- 
>>Daniel Curry
>>PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5 C83E
>>
>8C92> begin:vcard 
>
>>n:Curry;Daniel
>>tel;fax:650-232-3200
>>tel;work:650-232-4006
>>x-mozilla-html:FALSE
>>url:www.corio.com
>>org:Corio Inc
>>adr:;;959 Skyway Road  Suite 100;San
>>Carlos;California;94070;USA
>>version:2.1
>>email;internet:dcurry at ...5551...
>>title:Sr. Information Security Eng.
>>x-mozilla-cpt:;-5312
>>fn:Daniel Curry
>>end:vcard
>>
>
>
>=====
>-----------------------------------------------------------
>All warfare is based on deception.
>-----------------------------------------------------------
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Autos - Get free new car price quotes
>http://autos.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list