[Snort-users] Ethernet Tap

Bill Parker dogbert at ...11664...
Fri Aug 13 19:26:04 EDT 2004


----- Original Message ----- 
From: <TKaroutsos at ...12252...>
To: "Matt Kettler" <mkettler at ...4108...>
Cc: "STEVE MAKOUSKY" <SMAKOUS1 at ...12264...>;
<snort-users at lists.sourceforge.net>
Sent: Friday, August 13, 2004 3:03 PM
Subject: Re: [Snort-users] Ethernet Tap


>
> Thanks. Any idea on how many ports can be spanned to a single port on the
> Cisco switch? Could not find this info at Cisco's site.

A good way to do this is to make all the ports you want to monitor into a
VLAN (or multiple
VLAN's if you are trunking and doing InterVLAN routing), then you can set
the monitor port
to watch traffic on various vlans.  I do this at work so I can monitor any #
of VLAN's that
I need to (and saves me from having to type the number of ports I want to
mirror).  Just
make sure that the NIC you are using to connect to the monitor port is in
PROMISC mode
and preferably doesn't have an IP address assigned to it (makes sure that
you only see
valid traffic on your LAN).

Bill





More information about the Snort-users mailing list