[Snort-users] Is it really a HUB?

kenw at ...10492... kenw at ...10492...
Thu Nov 27 21:04:03 EST 2003


On Wed, 26 Nov 2003 13:49:00 -0500, you wrote:

>At 12:57 PM 11/26/2003, Petriz, Pablo wrote:
>...
>>So i don't know if snort will see all the traffic on it...
>
>No, it won't...
>
>auto-bridging means that (at least) the transition between 10mbit and 
>100mbit is switched.
>
>It is in fact IMPOSSIBLE to have a dual-speed hub which is a pure hub when 
>presented with mixed traffic speeds.. no.. really.. it's actually 
>impossible. If you tried every port would have to throttle down to 10mbit 
>and you'd have a 10mbit hub.
>
>Based on the description, which may differ from reality, all the 100mbit 
>ports might see each other's traffic, and all the 10mbit ports might see 
>each other's traffic, but they will definitely not see traffic from ports 
>of different speeds.

Up to this point, Matt is absolutely correct.  

>The problem is that the actual implementation may have more switching 
>behavior than advertized.. all they've guaranteed is that the 10/100 
>segments are bridged.. but that doesn't mean that the 100mbit ports can't 
>be fully switched with respect to each other too.

According to Cisco's literature, these hubs provide "100-Mbps peak
aggregate throughput".  That implies no switching on the 100Mbps side.

FWIW, I use a dual-speed hub (not this model) for network sniffing at
various sites.  In order to ensure that I'm connected the internal hub for
the speed-side I'm interested in, I often must manually set the sniffer
NIC's speed to that speed, rather than allowing it to auto-configure.

/kenw

Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net




More information about the Snort-users mailing list