[Snort-users] Is it really a HUB?
ppetriz at ...3815...
Wed Nov 26 10:01:10 EST 2003
I want to know if someone on this list is using the Cisco 1538 Micro Hub for
In the overview pdf of this product says:
- Autosensing on all ports allows automatic configuration for either 10BaseT
- Built-in high-speed bridge function automatically connects 10BaseT and
workstations without an external switch or router.
- Embedded switch supports store-and-forward switching and filtering and
rate at full-wire speed.
So i don't know if snort will see all the traffic on it...
> Date: Wed, 29 Oct 2003 15:42:00 -0500
> From: "Kristofer T. Karas" <ktk at ...10113...>
> To: snort-users at lists.sourceforge.net
> CC: Darryl Luff <dluff at ...9557...>
> Subject: Re: [Snort-users] Is it really a HUB?
> Darryl Luff wrote:
> > It works as you say. Except that if your station never transmits
> > anything, the switch will not learn your MAC, and will flood all
> > traffic addressed TO YOU out all ports. [snip]
> Right, that was the very thought that hit me in the head the
> other night
> as I pondered the issues further. The router with the spanned port
> talks to a small handful of other routers; the only MAC
> addresses seen
> coming in to the hub from that port will therefore be those
> of the other
> routers, all of which will make their way into the hub's MAC table.
> Thus, within a few seconds or so, the small hub will not send
> to the IDS because it knows that the source and destination MACs all
> reside on the port connected to the router's spanned port;
> ergo, there
> is no need to copy the packets to any of its (the hub's) other ports.
> Bugger. I guess I need to find somebody that makes a small 4-port
> switch where one can configure a port as a promiscuous
> listening interface.
More information about the Snort-users