[Snort-users] heavily switched networks

Erek Adams erek at ...950...
Wed Dec 24 07:22:01 EST 2003


On Wed, 24 Dec 2003, Stewart Larsen wrote:

> right, but where would you tap.
>
> Let's assume that I have the gateway and firewall set up going into a 16
> port switch. We'll call this switch switch:0. Each port on switch:0 goes
> to another 16 port switch.  We'll call these switch:1 through switch:16.
>
> I now have a nicely divided network with 16 segments of 16 computers
> each. That allows me to have 256 computers on my network.
>
> How do I effectively monitor traffic within each segment without a
> switch that supports SPAN?  Do I need to sniff on 256 different wires?
> or am I missing some fundamental insight here?

Perhaps....

Do you care about network <-> network traffic?  If not, then just sniff
your uplink.  Sniff the pipe from the FW to switch:0 and you catch all the
traffic coming into your network, no matter how many segments you have.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list