Erek Adams erek at ...950...
Wed Dec 24 07:22:01 EST 2003

On Wed, 24 Dec 2003, Stewart Larsen wrote:

> right, but where would you tap.
> Let's assume that I have the gateway and firewall set up going into a 16
> port switch. We'll call this switch switch:0. Each port on switch:0 goes
> to another 16 port switch.  We'll call these switch:1 through switch:16.
> I now have a nicely divided network with 16 segments of 16 computers
> each. That allows me to have 256 computers on my network.
> How do I effectively monitor traffic within each segment without a
> switch that supports SPAN?  Do I need to sniff on 256 different wires?
> or am I missing some fundamental insight here?


Do you care about network <-> network traffic?  If not, then just sniff
your uplink.  Sniff the pipe from the FW to switch:0 and you catch all the
traffic coming into your network, no matter how many segments you have.


