[Snort-users] Cisco Catalyst - SNORT

Mike Feetham mike.feetham at ...9502...
Fri Jun 27 06:41:12 EDT 2003


This is nice math, but you are assuming the switch copies the packet to
the SPAN port.  Instead, think of how the switch handles broadcast and
multicast traffic.  This traffic is sent to multiple (usually ALL) ports
on the switch simultaneously.  Performance does not become a big concern
for SPAN unless you are monitoring multiple ports.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jeff
Nathan
Sent: Thursday, June 26, 2003 9:21 PM
To: Tinsley Paul; 'Falvo, Jose Luis - (Arg)';
'Snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Cisco Catalyst - SNORT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did some math to see for myself whether or not I would buy into the
idea 
of there being no performance penalty.

The inter-frame delay for gigabit Ethernet is 96 nanoseconds (10 ^ -9),
or 
0.000000096 seconds.

The minimum frame data size in 802.3 is still 46 bytes, even though
Alteon 
and others desperately want jumbo frames.  Jumbo frames are meaningless
in 
full-duplex operation, btw.

What does an Ethernet frame REALLY look like?  Like this:  7 byte
preamble, 
1 byte start of frame delimiter, 14 byte Ethernet header, data (if less 
than 46 bytes, padding is used), padding (to bring frame data up to 46 
bytes), 4 byte CRC.

1 gigabit = 1 billion bits per second, or 125 million bytes per second.

125 million * 0.000000096 = 12 bytes (tada! the same as 10 Mb/sec and 
100Mb/sec )

Let's all this all up:

(this format is borrowed from Gorry Fairhurst)
http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/enet-calc.htm

Inter frame gap (96 nanoseconds): 12 bytes
Mac Preamble + SFD:                8 bytes
Ethernet Header:                  14 bytes
Minimum data size:                46 bytes
CRC:                               4 bytes
- -------------------------------------------
Total:                            84 bytes


Data rate (1 billion bits/sec) / total frame size (bits)

1000000000 / (84 * 8) = 1488095

One point four million frames per second... that's a whole lotta frames.

But wait, it gets better.  Imagine having to copy that many frames from
an 
ordinary switch port to a SPAN port.  Two point eight million frames per

second!

I'm sure some Ethernet switches mirror traffic very well, but upon
further 
investigation I believe it would be stretching the truth to say there is
no 
performance degradation in doing so.

- -Jeff

- --On Monday, June 23, 2003 10:35 -0500 Tinsley Paul 
<Paul.Tinsley at ...9244...> wrote:

> I recently asked this question of Cisco in reference to vlan mirroring
to
> a gig fiber port on a 6509 and they said there should be no
performance
> degredation as it's all done "in hardware."
>
> -----Original Message-----
> From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo at ...3247...]
> Sent: Monday, June 23, 2003 10:15 AM
> To: 'javier at ...7920...'
> Cc: 'Snort-users at lists.sourceforge.net'; Rochas, Esteban - (Ext Arg)
> Subject: RE: [Snort-users] Cisco Catalyst - SNORT
>
>
> Thanks Javier,
> Could will be any performance problem configuring SPAN port in a
switch
> with high traffic ?
> Regards,
> jose
>
>
> -----Mensaje original-----
> De: Javier Liendo [mailto:javier at ...7920...]
> Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m.
> Para: Falvo, Jose Luis - (Arg); 'Snort-users at lists.sourceforge.net'
> Asunto: Re: [Snort-users] Cisco Catalyst - SNORT
>
>
> hello jose
>
> you'll have to configure the switch port where you are
> plugging the snort device as a "span" port...
>
> pls take a look at the following link to see how you
> can configure it on a 6000 series catalyst switch...
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconf
i
> g/s pan.htm
>
> also in my experience, if you configure a switch port
> as span then you can not pass any management traffic
> through that port so you will have to add another
> network card and plug it to another switch port if you
> want to manage this device remotely...
>
> saludos
>
> javier
>
>
> --- "Falvo, Jose Luis - (Arg)" <Jose.Falvo at ...3247...>
> wrote:
>> Hi All,
>> I'm probing Snort in our network. Snort was
>> installed and its run correctly.
>> Our problem is that snort only listen packet unicast
>> to snort IP or any
>> broadcast packet of VLAN where its was connected.
>> Questions is:
>>
>> In a Cisco Catalyst 8540 or Calalyst 6509, which is
>> configuration port for
>> SNORT listen all packet of the VLAN?
>>
>> Regards and thanks,
>>
>>
>> Jose Luis Falvo
>> Dpto. Ingeniería
>> AT&T Latin America
>> Tel. (54 11) 5288-0182
>>  Olga Cosentini  1031 - Cap Fed
>>
>> Buenos Aires - Argentina
>>
>> Este mensaje es confidencial. El mismo contiene
>> información reservada
>> y que no puede ser difundida. Si usted ha recibido
>> este e-mail
>> por error, por favor avísenos inmediatamente vía
>> e-mail y tenga la
>> amabilidad de eliminarlo de su sistema; no deberá
>> copiar el mensaje
>> ni divulgar su contenido a ninguna persona. Muchas
>> gracias.
>>
>> This message is confidential. It contains
>> information that is privileged and
>> legally exempt from disclosure. If you have received
>> this e-mail by mistake,
>>
>> please let us know immediately by e-mail and delete
>> it from your system;
>> you should also not copy the message nor disclose
>> its contents to anyone.
>> Thank You.
>>
>>
>>
>>
> -------------------------------------------------------
>> This SF.Net email is sponsored by: INetU
>> Attention Web Developers & Consultants: Become An
>> INetU Hosting Partner.
>> Refer Dedicated Servers. We Manage Them. You Get 10%
>> Monthly Commission!
>> INetU Dedicated Managed Hosting
>> http://www.inetu.net/partner/index.php
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Este mensaje es confidencial. El mismo contiene información reservada
> y que no puede ser difundida. Si usted ha recibido este e-mail
> por error, por favor avísenos inmediatamente vía e-mail y tenga la
> amabilidad de eliminarlo de su sistema; no deberá copiar el mensaje
> ni divulgar su contenido a ninguna persona. Muchas gracias.
>
> This message is confidential. It contains information that is
privileged
> and legally exempt from disclosure. If you have received this e-mail
by
> mistake,
>
> please let us know immediately by e-mail and delete it from your
system;
> you should also not copy the message nor disclose its contents to
anyone.
> Thank You.
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting
Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting
Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD4DBQE++5wQEqr8+Gkj0/0RArFZAJdxctcCOPoeP37FUvefEInFCoyAAJ9Jp2Tf
90b0FSH52u7nzgDraY9Osw==
=thJq
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list