[Snort-Users] Is it really a HUB?
Finney Charles E
FinneyCharlesE at ...2134...
Wed Nov 26 11:51:06 EST 2003
If it is really autosensing port speed it is a multiport bridge (switch?).
If it is a single speed device with shared bandwidth across all active ports it is a repeater (hub?).
I have no idea where the terms hub and switch fit into the IEEE 802.x standards, I suspect about the same place telco switches and marketing fit.
>From: "Petriz, Pablo" <ppetriz at ...3815...>
>To: "'snort-users at lists.sourceforge.net'"
> <snort-users at lists.sourceforge.net>
>Cc: "'ktk at ...10113...'"
> <ktk at ...10113...>,
> "'dluff at ...9557...'"
> <dluff at ...9557...>
>Subject: Re: [Snort-users] Is it really a HUB?
>Date: Wed, 26 Nov 2003 14:57:22 -0300
>I want to know if someone on this list is using the Cisco 1538 Micro Hub for
>In the overview pdf of this product says:
>- Autosensing on all ports allows automatic configuration for either 10BaseT
>- Built-in high-speed bridge function automatically connects 10BaseT and
>workstations without an external switch or router.
>- Embedded switch supports store-and-forward switching and filtering and
>rate at full-wire speed.
>So i don't know if snort will see all the traffic on it...
>> Date: Wed, 29 Oct 2003 15:42:00 -0500
>> From: "Kristofer T. Karas" <ktk at ...10113...>
>> To: snort-users at lists.sourceforge.net
>> CC: Darryl Luff <dluff at ...9557...>
>> Subject: Re: [Snort-users] Is it really a HUB?
>> Darryl Luff wrote:
>> > It works as you say. Except that if your station never transmits
>> > anything, the switch will not learn your MAC, and will flood all
>> > traffic addressed TO YOU out all ports. [snip]
>> Right, that was the very thought that hit me in the head the
>> other night
>> as I pondered the issues further. The router with the spanned port
>> talks to a small handful of other routers; the only MAC
>> addresses seen
>> coming in to the hub from that port will therefore be those
>> of the other
>> routers, all of which will make their way into the hub's MAC table.
>> Thus, within a few seconds or so, the small hub will not send
>> to the IDS because it knows that the source and destination MACs all
>> reside on the port connected to the router's spanned port;
>> ergo, there
>> is no need to copy the packets to any of its (the hub's) other ports.
>> Bugger. I guess I need to find somebody that makes a small 4-port
>> switch where one can configure a port as a promiscuous
>> listening interface.
More information about the Snort-users