[Snort-users] To hub or not to hub

Matt Kettler mkettler at ...7367...
Mon Jan 6 15:54:03 EST 2003


In general if your network bandwidth at the point you are inserting a hub 
is low compared to the bandwidth of the hub, don't worry about it and use a 
hub. Good examples include monitoring a cable modem, residential DSL, or 
simple T1.

As far as what's "low", I'd say no more than 35% of the hub's bandwidth 
total. So for 1.536mbit/sec T1 line, which is 3.072mbit/sec when you count 
both directions,  using a cheapo 10mbit hub inline is not a significant 
performance issue because that's only 30% of the hub's total bandwidth. 
Yes, it will add a tiny bit of latency due to the occasional collision, but 
if you're using under 35% of the bandwidth of the hub the collision rate 
should be reasonably low. If small latency additions will hurt your network 
performance, use a significantly lower utilization limit as a rule of 
thumb, or use a spanning switch or a hardware tap.

I'll admit up front I'm currently violating my "low" rule of thumb a bit by 
having a maximum possible that would hit 40%, but generally the upstream 
and downstream aren't saturated at the same time here. Were the network 
line I'm monitoring here heavily used I'd want more breathing room.

Also make SURE all ports of the hub are operating at the same rate (ie: all 
10, or all 100, absolutely never use an "auto-sensing hub" with mixed 
speeds and expect it to behave as a truly passive hub.. it will not, see 
the snort FAQ for more info).


At 03:58 PM 1/6/2003 -0600, Anthony Scott wrote:
>Hi. I am going to initially deploy one Snort box on our network. I want to 
>place it right after our firewall to detect anything getting through.
>We have an all switched environment and I do not want to do any spanning 
>(at least initially). I read two documents on Snort's web site, one said a 
>hub was fine, one said a hub was a bad idea. I like the idea because it 
>would be easy to plug and unplug the snort box without disrupting traffic.
>I would also like to use the box for a sniffer, ala Ethereal.
>Thoughts, feelings, ideas?
>
>Thanks
>anthony  scott
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list