[Snort-users] Ethernet Tap

Matt Kettler mkettler at ...4108...
Fri Aug 13 15:18:05 EDT 2004


At 06:03 PM 8/13/2004, TKaroutsos at ...12252... wrote:
>Thanks. Any idea on how many ports can be spanned to a single port on the
>Cisco switch? Could not find this info at Cisco's site.

It's somewhat complex, see the "monitor session" command in the command 
reference:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_command_reference_chapter09186a0080150b7b.html#2921813

In short, you can have two span sessions..
         Each span session can have only one output port.
         Each span session can monitor the received traffic on as many 
ports as it likes
         Each span session can monitor the transmitted traffic of only ONE 
port.

Thus you can only monitor one port if you want to monitor it full-duplex 
(tx and rx)






More information about the Snort-users mailing list