[Snort-users] Is it really a HUB?

bmcdowell at ...7861... bmcdowell at ...7861...
Fri Nov 28 13:06:11 EST 2003


I wonder if perhaps there's a business opportunity here, or perhaps
simply an existing piece of hardware that would help deal with these
problems.

Imagine a tap/hub/whatever that one might plug into both the 10mbit and
100mbit 'sides' of such a device, and then deliver that combined
'signal' to a single ethernet port.  Or, potentially, combining the span
ports of two or more managed switches into a single 'signal feed'.

One could show up onsite, plug in the 'feed device' into one or more
ports on one or more devices and sniff away...

Just a random thought,


Bob

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
kenw at ...10492...
Sent: Friday, November 28, 2003 2:17 PM
To: Matt Kettler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Is it really a HUB?


On Fri, 28 Nov 2003 14:06:01 -0500, you wrote:

>At 11:31 PM 11/27/2003, kenw at ...10492... wrote:
>> >The problem is that the actual implementation may have more
switching
>> >behavior than advertized.. all they've guaranteed is that the 10/100
>> >segments are bridged.. but that doesn't mean that the 100mbit ports
can't
>> >be fully switched with respect to each other too.
>>
>>According to Cisco's literature, these hubs provide "100-Mbps peak
>>aggregate throughput".  That implies no switching on the 100Mbps side.
>
>
>True, although they are free to give you more than advertised.
Implications 
>are not specifications.
>
>I've encountered at least one dual-speed hub, a netgear model, that
behaved 
>more like a switch than a hub between 100mbit ports. (I tried to hook a

>100mbit/sec sniffer in between two 100mbit devices and saw nothing).
The 
>big difference is that it only supported half duplex, unlike most
switches.

Interesting.  I personally use a NetGear DS104 dual-speed hub, specially
purchased for such work.  I've never seen that behavior.  I do, though,
have to watch the port speed lights carefully, and hard-set the NIC
interface speed at times.

Vendor marketing types seem to see little harm in playing their usual
games
with terminology.  They're usually right, unfortunately.

>Basically all I was stating was that it *might* behave like a switch or
a 
>hub.. Despite the Cisco literature, I still see nothing in there that 
>solidly ensures hub-like behaviors between 100mbit ports. Thus, I still
say 
>that either behavior is possible.
>
>It could act like a hub, or a switch, and neither behavior is
guaranteed by 
>the spec.

True.  And it could even violate specs, for that matter (gee, that
_never_
happens ;-/ ).

The Principle of Least Amazement (aka Occam's Razor) would suggest that
an
auto-configuring sniffer NIC is the more likely culprit, and deserves
close
inspection.  But I would pay dearly for the ability to generate a
personal
No Wierd Sh*t Zone.

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...
www.kmsi.net


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list