[Snort-users] Snort in a switched environment

Matt Yackley Matt.Yackley at ...5858...
Tue May 14 09:30:06 EDT 2002

The trouble with a switch is that it stores MAC address in a table for each
port and will only send data to the specific port that is the destination,
the execptions are broadcast traffic and perhaps when a new device is placed
on the network.  A way around the problem is if the switch handles port
mirroring, you can mirror traffic from selected ports to a port that you
specfiy as the monitoring port.  Check the user manual that came with the
switch to see if it supports port mirroring.


-----Original Message-----
From: Bastian Ballmann [mailto:ballmann at ...3190...]
Sent: Tuesday, May 14, 2002 10:20 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort in a switched environment

Is it possible to run Snort in a switched environment? Cause Snort can only 
sniff the traffic of the host he is running on. Unless he is doing something

like ARP poisoning or something like this...
But I think this would lead into trouble if you run the arpspoof

Bastian Ballmann
Bastian Ballmann [ ballmann at ...3190... ]
@ Computational Design GmbH
[ http://www.co-de.de ]


Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth at ...382...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list