[Snort-Users] Is it really a HUB?

Finney Charles E FinneyCharlesE at ...2134...
Wed Nov 26 11:51:06 EST 2003


If it is really autosensing port speed it is a multiport bridge (switch?).
If it is a single speed device with shared bandwidth across all active ports it is a repeater (hub?).

I have no idea where the terms hub and switch fit into the IEEE 802.x standards, I suspect about the same place telco switches and marketing fit.

Thanks,

Charlie

>Message: 10
>From: "Petriz, Pablo" <ppetriz at ...3815...>
>To: "'snort-users at lists.sourceforge.net'"
>	 <snort-users at lists.sourceforge.net>
>Cc: "'ktk at ...10113...'"
>	 <ktk at ...10113...>,
>        "'dluff at ...9557...'"
>	 <dluff at ...9557...>
>Subject: Re: [Snort-users] Is it really a HUB?
>Date: Wed, 26 Nov 2003 14:57:22 -0300
>
>I want to know if someone on this list is using the Cisco 1538 Micro Hub for
>snorting.
>
>In the overview pdf of this product says:
>
>- Autosensing on all ports allows automatic configuration for either 10BaseT
>or
>100BaseT connections.
>- Built-in high-speed bridge function automatically connects 10BaseT and
>100BaseT
>workstations without an external switch or router.
>- Embedded switch supports store-and-forward switching and filtering and
>forwarding
>rate at full-wire speed.
>
>So i don't know if snort will see all the traffic on it...
>
>Thanks,
>
>PABLO
>
>> Date: Wed, 29 Oct 2003 15:42:00 -0500
>> From: "Kristofer T. Karas" <ktk at ...10113...>
>> To: snort-users at lists.sourceforge.net
>> CC: Darryl Luff <dluff at ...9557...>
>> Subject: Re: [Snort-users] Is it really a HUB?
>> 
>> Darryl Luff wrote:
>> 
>> > It works as you say. Except that if your station never transmits 
>> > anything, the switch will not learn your MAC, and will flood all 
>> > traffic addressed TO YOU out all ports.  [snip]
>> 
>> Thanks...
>> 
>> Right, that was the very thought that hit me in the head the 
>> other night 
>> as I pondered the issues further.  The router with the spanned port 
>> talks to a small handful of other routers; the only MAC 
>> addresses seen 
>> coming in to the hub from that port will therefore be those 
>> of the other 
>> routers, all of which will make their way into the hub's MAC table.  
>> Thus, within a few seconds or so, the small hub will not send 
>> anything 
>> to the IDS because it knows that the source and destination MACs all 
>> reside on the port connected to the router's spanned port; 
>> ergo, there 
>> is no need to copy the packets to any of its (the hub's) other ports. 
>> 
>> Bugger.   I guess I need to find somebody that makes a small 4-port 
>> switch where one can configure a port as a promiscuous 
>> listening interface.
>> 
>> Kris


--__--__--

Message>: 11





More information about the Snort-users mailing list