[Snort-Users] Is it really a HUB?

kenw at ...10492... kenw at ...10492...
Fri Nov 28 08:51:02 EST 2003


On Wed, 26 Nov 2003 13:50:35 -0600, you wrote:

>If it is really autosensing port speed it is a multiport bridge (switch?).
>If it is a single speed device with shared bandwidth across all active ports it is a repeater (hub?).
>
>I have no idea where the terms hub and switch fit into the IEEE 802.x standards, I suspect about the same place telco switches and marketing fit.

In terms of Ethernet (802.3) and ISO protocol layers:
A hub is a multiport repeater: layer 1.
A switch is a multiport bridge: layer 2.

See below.


>Thanks,
>Charlie
>...
>>> Darryl Luff wrote:
>>> 
>>> > It works as you say. Except that if your station never transmits 
>>> > anything, the switch will not learn your MAC, and will flood all 
>>> > traffic addressed TO YOU out all ports.  [snip]
>>> 
>>> Thanks...
>>> 
>>> Right, that was the very thought that hit me in the head the 
>>> other night 
>>> as I pondered the issues further.  The router with the spanned port 
>>> talks to a small handful of other routers; the only MAC 
>>> addresses seen 
>>> coming in to the hub from that port will therefore be those 
>>> of the other 
>>> routers, all of which will make their way into the hub's MAC table.  
>>> Thus, within a few seconds or so, the small hub will not send 
>>> anything 
>>> to the IDS because it knows that the source and destination MACs all 
>>> reside on the port connected to the router's spanned port; 
>>> ergo, there 
>>> is no need to copy the packets to any of its (the hub's) other ports. 
>>> 
>>> Bugger.   I guess I need to find somebody that makes a small 4-port 
>>> switch where one can configure a port as a promiscuous 
>>> listening interface.
>>> 
>>> Kris

You don't want an expensive switch; you want a cheap hub.  A dual-speed hub
is fine; you just have to be careful about the speed of your snorter's NIC
v/s the other ports on the hub.  So long as they are the same, you'll see
all traffic.

For Ethernet, there are switches, single-speed hubs, and dual-speed hubs.

Switches are essentially multi-port bridges, with each port on a separate
bridge interface, regardless of whether that port is running either speed.
Bridges are layer-2 devices that understand and remember MAC addresses;
they forward packets only to the appropriate network segments.  

Single-speed hubs are just multiport layer-1 repeaters; from the ethernet
viewpoint, all ports are in a single collision domain, and all ports see
all packets.  Hubs don't deal with MAC addresses at all -- they just pass
all packets, errors and all.

Most dual-speed hubs are actually two hubs in one (one for each speed) with
a single bridge (two-port switch) between the two hubs.  Thus they are a
combination of layer-1 and layer-2 hardware.  Auto-sensing dual-speed hubs
(which most are) automatically connect each port to one internal hub or the
other depending on its speed.  

This means that all ports of one speed are connected to the same internal
hub, and every port will see all traffic to/from all other ports running at
the same speed.

Now:

If a normal dual-speed hub, connected to the router's spanned port, has its
sniffer/snorter port running at the same speed as the spanned port, it will
see all traffic issuing to/from that port.  Period.  All the time.  No MAC
address filtering.  No special switch required.

BTW, my understanding of the term "spanned" port refers to a port used to
monitor traffic on other ports of the same device (usually a switch).  I
may have missed something: are you trying to set up multiple devices to
analyse the same traffic coming through that spanned port?  Otherwise,
would you mind explaining what your "spanned" port does?

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net




More information about the Snort-users mailing list