[Snort-users] Cisco Catalyst - SNORT

Jeff Nathan jeff at ...950...
Thu Jun 26 18:22:09 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did some math to see for myself whether or not I would buy into the idea 
of there being no performance penalty.

The inter-frame delay for gigabit Ethernet is 96 nanoseconds (10 ^ -9), or 
0.000000096 seconds.

The minimum frame data size in 802.3 is still 46 bytes, even though Alteon 
and others desperately want jumbo frames.  Jumbo frames are meaningless in 
full-duplex operation, btw.

What does an Ethernet frame REALLY look like?  Like this:  7 byte preamble, 
1 byte start of frame delimiter, 14 byte Ethernet header, data (if less 
than 46 bytes, padding is used), padding (to bring frame data up to 46 
bytes), 4 byte CRC.

1 gigabit = 1 billion bits per second, or 125 million bytes per second.

125 million * 0.000000096 = 12 bytes (tada! the same as 10 Mb/sec and 
100Mb/sec )

Let's all this all up:

(this format is borrowed from Gorry Fairhurst)
http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/enet-calc.htm

Inter frame gap (96 nanoseconds): 12 bytes
Mac Preamble + SFD:                8 bytes
Ethernet Header:                  14 bytes
Minimum data size:                46 bytes
CRC:                               4 bytes
- -------------------------------------------
Total:                            84 bytes


Data rate (1 billion bits/sec) / total frame size (bits)

1000000000 / (84 * 8) = 1488095

One point four million frames per second... that's a whole lotta frames.

But wait, it gets better.  Imagine having to copy that many frames from an 
ordinary switch port to a SPAN port.  Two point eight million frames per 
second!

I'm sure some Ethernet switches mirror traffic very well, but upon further 
investigation I believe it would be stretching the truth to say there is no 
performance degradation in doing so.

- -Jeff

- --On Monday, June 23, 2003 10:35 -0500 Tinsley Paul 
<Paul.Tinsley at ...9244...> wrote:

> I recently asked this question of Cisco in reference to vlan mirroring to
> a gig fiber port on a 6509 and they said there should be no performance
> degredation as it's all done "in hardware."
>
> -----Original Message-----
> From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo at ...3247...]
> Sent: Monday, June 23, 2003 10:15 AM
> To: 'javier at ...7920...'
> Cc: 'Snort-users at lists.sourceforge.net'; Rochas, Esteban - (Ext Arg)
> Subject: RE: [Snort-users] Cisco Catalyst - SNORT
>
>
> Thanks Javier,
> Could will be any performance problem configuring SPAN port in a switch
> with high traffic ?
> Regards,
> jose
>
>
> -----Mensaje original-----
> De: Javier Liendo [mailto:javier at ...7920...]
> Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m.
> Para: Falvo, Jose Luis - (Arg); 'Snort-users at lists.sourceforge.net'
> Asunto: Re: [Snort-users] Cisco Catalyst - SNORT
>
>
> hello jose
>
> you'll have to configure the switch port where you are
> plugging the snort device as a "span" port...
>
> pls take a look at the following link to see how you
> can configure it on a 6000 series catalyst switch...
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfi
> g/s pan.htm
>
> also in my experience, if you configure a switch port
> as span then you can not pass any management traffic
> through that port so you will have to add another
> network card and plug it to another switch port if you
> want to manage this device remotely...
>
> saludos
>
> javier
>
>
> --- "Falvo, Jose Luis - (Arg)" <Jose.Falvo at ...3247...>
> wrote:
>> Hi All,
>> I'm probing Snort in our network. Snort was
>> installed and its run correctly.
>> Our problem is that snort only listen packet unicast
>> to snort IP or any
>> broadcast packet of VLAN where its was connected.
>> Questions is:
>>
>> In a Cisco Catalyst 8540 or Calalyst 6509, which is
>> configuration port for
>> SNORT listen all packet of the VLAN?
>>
>> Regards and thanks,
>>
>>
>> Jose Luis Falvo
>> Dpto. Ingeniería
>> AT&T Latin America
>> Tel. (54 11) 5288-0182
>>  Olga Cosentini  1031 - Cap Fed
>>
>> Buenos Aires - Argentina
>>
>> Este mensaje es confidencial. El mismo contiene
>> información reservada
>> y que no puede ser difundida. Si usted ha recibido
>> este e-mail
>> por error, por favor avísenos inmediatamente vía
>> e-mail y tenga la
>> amabilidad de eliminarlo de su sistema; no deberá
>> copiar el mensaje
>> ni divulgar su contenido a ninguna persona. Muchas
>> gracias.
>>
>> This message is confidential. It contains
>> information that is privileged and
>> legally exempt from disclosure. If you have received
>> this e-mail by mistake,
>>
>> please let us know immediately by e-mail and delete
>> it from your system;
>> you should also not copy the message nor disclose
>> its contents to anyone.
>> Thank You.
>>
>>
>>
>>
> -------------------------------------------------------
>> This SF.Net email is sponsored by: INetU
>> Attention Web Developers & Consultants: Become An
>> INetU Hosting Partner.
>> Refer Dedicated Servers. We Manage Them. You Get 10%
>> Monthly Commission!
>> INetU Dedicated Managed Hosting
>> http://www.inetu.net/partner/index.php
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Este mensaje es confidencial. El mismo contiene información reservada
> y que no puede ser difundida. Si usted ha recibido este e-mail
> por error, por favor avísenos inmediatamente vía e-mail y tenga la
> amabilidad de eliminarlo de su sistema; no deberá copiar el mensaje
> ni divulgar su contenido a ninguna persona. Muchas gracias.
>
> This message is confidential. It contains information that is privileged
> and legally exempt from disclosure. If you have received this e-mail by
> mistake,
>
> please let us know immediately by e-mail and delete it from your system;
> you should also not copy the message nor disclose its contents to anyone.
> Thank You.
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD4DBQE++5wQEqr8+Gkj0/0RArFZAJdxctcCOPoeP37FUvefEInFCoyAAJ9Jp2Tf
90b0FSH52u7nzgDraY9Osw==
=thJq
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list