[Snort-users] To hub or not to hub
mkettler at ...7367...
Mon Jan 6 15:54:03 EST 2003
In general if your network bandwidth at the point you are inserting a hub
is low compared to the bandwidth of the hub, don't worry about it and use a
hub. Good examples include monitoring a cable modem, residential DSL, or
As far as what's "low", I'd say no more than 35% of the hub's bandwidth
total. So for 1.536mbit/sec T1 line, which is 3.072mbit/sec when you count
both directions, using a cheapo 10mbit hub inline is not a significant
performance issue because that's only 30% of the hub's total bandwidth.
Yes, it will add a tiny bit of latency due to the occasional collision, but
if you're using under 35% of the bandwidth of the hub the collision rate
should be reasonably low. If small latency additions will hurt your network
performance, use a significantly lower utilization limit as a rule of
thumb, or use a spanning switch or a hardware tap.
I'll admit up front I'm currently violating my "low" rule of thumb a bit by
having a maximum possible that would hit 40%, but generally the upstream
and downstream aren't saturated at the same time here. Were the network
line I'm monitoring here heavily used I'd want more breathing room.
Also make SURE all ports of the hub are operating at the same rate (ie: all
10, or all 100, absolutely never use an "auto-sensing hub" with mixed
speeds and expect it to behave as a truly passive hub.. it will not, see
the snort FAQ for more info).
At 03:58 PM 1/6/2003 -0600, Anthony Scott wrote:
>Hi. I am going to initially deploy one Snort box on our network. I want to
>place it right after our firewall to detect anything getting through.
>We have an all switched environment and I do not want to do any spanning
>(at least initially). I read two documents on Snort's web site, one said a
>hub was fine, one said a hub was a bad idea. I like the idea because it
>would be easy to plug and unplug the snort box without disrupting traffic.
>I would also like to use the box for a sniffer, ala Ethereal.
>Thoughts, feelings, ideas?
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users