[Snort-users] Linux and switch problem???

Jim Burwell jimb at ...6373...
Fri Jul 19 13:24:02 EDT 2002

Hrm.  I'm curious about your comments below twig.

I'm using a Cisco 3548XL to monitor traffic to/from a router with snort 
using the 'port monitor' (spanning) facility.  

I'm monitoring only a single port.  I'm using a port adjecent to the 
port I'm monitoring as the monitor port in the hope that the traffic I 
monitor will stay within the same ASIC.  But that's really just wishful 
thinking, since I don't know exactly what's involved as far as 
CPU/bus/backplane with port monitoring on this switch.  I figure the 
traffic is either staying within the same ASIC (good), or the CPU of the 
switch is getting involved and copying the packets itself (not very good).

So far I havn't noticed a decrease in performance, or any other adverse 
effects using port monitor on this switch.  Any potential problems I 
should know about in spanning these switches ?  What could get one "in 
trouble" doing this ?

- Jim

twig les wrote:

>What kind of switch?  What did you change in the
>sewitch config for this project?  What else is the
>Linux box doing?  Simply putting an interface into
>promiscious mode can't affect a switch.  If you've
>spanned a Cisco 29xx or 35xx, then you may be in
>trouble, but make sure you aren't being scapegoated. 
>That's happened to me before ("Your sniffer is slowing
>the network down!!" <huh?>)
>--- Daniel Curry <dcurry at ...5551...> wrote:
>>     I have configure my eth1 as following.
>>eth1      Link encap:Ethernet  HWaddr
>>MTU:1500  Metric:1
>>          RX packets:0 errors:0 dropped:0 overruns:0
>>          TX packets:0 errors:0 dropped:0 overruns:0
>>          collisions:0 txqueuelen:100 
>>          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>>          Interrupt:11 Base address:0xc000 
>>However I am getting reports from our network folks
>>that "this is 
>>bringing the switch down?"
>>  My ifcg-eth1 file looks like this.
>> Is there anything wrong with my configuration? 
>>Please reply directly. I received snort email via
>>"digest" mode.
>>Thank you.
>>Daniel Curry
>>PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5 C83E
>8C92> begin:vcard 
>>org:Corio Inc
>>adr:;;959 Skyway Road  Suite 100;San
>>email;internet:dcurry at ...5551...
>>title:Sr. Information Security Eng.
>>fn:Daniel Curry
>All warfare is based on deception.
>Do You Yahoo!?
>Yahoo! Autos - Get free new car price quotes
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list