[Snort-users] Cisco Catalyst - SNORT

Rich Adamson radamson at ...2127...
Fri Jun 27 07:02:47 EDT 2003


> > But wait, it gets better.  Imagine having to copy that many frames from an 
> > ordinary switch port to a SPAN port.  Two point eight million frames per 
> > second!
> > 
> > I'm sure some Ethernet switches mirror traffic very well, but upon further 
> > investigation I believe it would be stretching the truth to say there is no 
> > performance degradation in doing so.
> 
> I'm not saying the switch works this way but if the packets are on a bus
> and configuring a span port just means telling the port to grab anything
> on the bus, it would seem there would be no performance hit.

We're probably getting off-topic here a little, but the manner in which port
mirroring functions is highly dependent upon the exact ethernet chip set
being used within each switch and the OEM software engineer in how the
mirroring function was handled in their software.

Most current switches have either 8 or 16 port chip sets. Mirroring from
port 1 to 7 will be done within the chip set at wire speeds, where mirroring 
from 1 to 24, or 1/1 to 5/39 may be subjected to different circuit board 
paths (including backplanes in some cases) that may have other limitations.
Someone is likely to say that Cisco's mirroring (as an example only) functions 
at wire speeds even on gig ports, when in fact their experience involved other 
unknown conditions (such as port 1 to port 4 on the same chip set) for which 
they have little/no real knowledge.

I don't know of any recent switch that actually does port mirroring using the
mgmt processor. For the most part, the mgmt processors in current use are
very slow and are only used to control functions that are mostly implemented
in the other on-board chips.

One cannot characterize the functions by vendor either. 3Com, as one example
only, may purchase 10,000 switches manufacturered by one Asian company and
the next 10,000 from another manufacturer. They both look the same on the
outside and have the same front panel model number, but the motherboard (and 
chip sets) may be different. Typically they add something like -002 onto the 
detailed model number. The mirroring function could be implemented differently, 
and may exhibit entirely different mirroring characteristics or efficiencies 
(dropped packets) between what is perceived as the same model of two switches.

It's also been common practice for many well-known US manufacturers to simply
purchase pre-engineered / pre-manufacturered switches from another company
(particularily in the under $1500 boxes) for which the well-known company
has no software/hardware engineering responsibilities. It's pretty easy to
spot those as the well-known company's name is not etched on the circuit
board. (SMC happens to be the US recognized parent name that is producing
a fair number of boxes with other brand names on the front panel.)

For those that might have an interest, rip the cover off your favorite switch
and note the manufacturer's name and part number for the ethernet chip sets.
Usuaually, they are the larger chips and the number of switch ports divided
by the number of larger chips will tell you how many ports / chip. Then go
to that chip manufacturer's web site and check out the specs. You're likely
to be very surprised at the hugh functionality that's in them but not taken
advantage of by the OEM switch vendor. Many of those specs will note mirroring
functions operate at wire speeds (at least when mirroring within the chip).

There are many switches on the market today that will do wire speed mirroring
on adjacent gig ports, but may drop packets between ports on different chip
sets or differnet blades. In any case, the engineering of the snort machine
(internal buss speeds, etc) will be more of a limiting factor then will the
mirroring functions of the switch.

Rich






More information about the Snort-users mailing list