[Snort-users] Snort on span port

Douglas McCrea dmccrea at ...10965...
Tue Aug 17 06:21:02 EDT 2004

Data will only go to the switch if there is a device on that switch in
the proper VLAN. For instance, if you have four VLANS (1-4) and you have
the following setup:

Switch Name		VLANS currently being used by devices (VLANS are
trunked using 802.1Q)
Switch1		1
Switch2		1,2
Switch3		2,3,4
Switch4		4

You should monitor Trunk with your Span port on Switch 3, which will at
least show all the traffic for VLANS 2,3,4 assuming your devices are on
24 hours a day. You could improve this by setting up a hardened,
multihomed system that just listens on four different ports, each
NIC/port combo designated to one of the VLANs. This would pull traffic
more readily.

I've also been doing some thinking about this also... Would it be
possible to plug into the aggregate switch using a fiber NIC? Anyway,
the best way to do this would be a tap- I don't have the luxury, so I
monitor trunk on my busiest switches. Eventually I'm going to set up the
multi-homed system with 5 VMware honeypots that listen on all ports, I
just haven't had the time.


Assistant Director, IT
Rutgers University

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Charles
Sent: Wednesday, August 11, 2004 3:02 AM
To: Ilango S Allikuzhi
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort on span port

----- Original Message -----
From: Ilango S Allikuzhi <ilangoallikuzhi at ...12241...>
Date: Thu, 5 Aug 2004 11:23:00 -0400
Subject: [Snort-users] Snort on span port
To: "snort-users at lists.sourceforge.net"
<snort-users at lists.sourceforge.net>

We are deploying SourceFire (snort network sensor) appliances to capture
traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS),
connected on a trunk. I looked at the data, connecting to the span port
of each of the switches; these span ports are supposed to be well
configured by competent engineers and are in use for a long time for
network sniffing through NAI distributed network sniffer. I am
connecting the snort appliance in parallel with NAI sniffer using a 100
MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches while
I see over 2 MB/s sustained traffic when connected to the span port of
one of the switches. So i decided to connect the IDS to the span port of
this switch. I initially thought that I would see the same traffic on
all 4 switches as they are trunked and after this exercise, I realized
the entire traffic of the VLAN can be sniffed only on one of the
switch's span port. A network engineers clarified that ONLY the root
bridge on the VLAN would see all the traffic and the root bridge could
change after a re-election when the current root goes down.

The question is how do I ensure that I always capture the entire VLAN
traffic, irrespective of which switch is the "root bridge".  Should I
have IDS sensors on the span port of all the switches in this kind of
scenario?  Is there any better solution?  I keep hearing of Cisco
terminology VACL to configure the port on which IDS sits? Is it better
than using span port ??  I would appreciate if some one shares their
experience dealing with this kind of situation.


I work in an environment where all of our network traffic is captured
through Cisco Switch Spanning, and I have never experienced a problem
related to whichever switch might be the "root bridge" for the VLAN.

However, I am not a network engineer by any means, I am an IDS engineer.
So you may want to take what I say with a grain of salt. 
In my experience, "userland" VLANS are spanned to a "monitoring" trunk
VLAN on an alternate switch port.  The IDS either sits on that port, or
(depending upon the capabilities of the switch) that port is then
SPAN'd/RSPAN'd to another switch, which then locally SPANs the traffic
to the IDS promiscuous interface. This whole configuration depends on
your architecture, the capability of your switch infrastructure, and can
vary accordingly.

Somethings to consider are 1) how much traffic SHOULD be traversing the
VLANS that you are monitoring on the one that is seeing less bandwidth?
Is that typical or atypical?  2)  How many VLANS are you dealing with?
3)  What type of traffic do you actually see on the port with less
bandwidth?  It's really difficult to speak intelligently about your
situation without knowing more about your architecture.  If you would
like to email me off-list to provide more detail about your
infrastructure, I might be able to help more.

Basically, I don't know anything about VACL's, but we've been able to
accomplish most of the visibility that we need through the mixture of
local SPAN sessions and RPSAN sessions (remote).  You should be able to
do the same (depending on the capabilities of your switches).

Charlie Heselton
Network Security Engineer

SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list