[Snort-users] switch-uplink?

Matt Kettler mkettler at ...4108...
Mon Nov 15 12:13:04 EST 2004

At 01:21 PM 11/15/2004, Elmar Bschorer wrote:
>hello list,
>i tried to sniffer all traffic in a network-segment with my sensor.
>therefore i connected the sensor to the uplink port of my netgear fs105.
>i tried the following:
>$ ifconfig eth0 promisc
>when i run "tcpdump -i eth0" on the sensor now, i get no output.
>someone any experiences with this type of switch - or am i doing
>something wrong?

You don't need an uplink port. You need a true managed switch with span 
port capability.

An uplink port is really intended for when you want to cascade two switches 
into each other. Think of it as a port with a built in equivalnet of a 
"null modem" adapter so you can connect it to a normal switch port. This 
has nothing to do with what traffic goes to the port, it's just got the TX 
and RX pairs reversed.

If you've got an inexpensive unmanaged switch, you're mostly out-of-luck 
for good sniffing option without replacing the switch. In general the 
options for network taping are:

         1) use macof to flood the switch. Free, but degrades switch 
performance severely and isn't 100% reliable
         2) replace the switch with a 10mbps passive hub. Inexpensive, but 
very slow.
         3) build or buy a passive tap. Cheap if you build your own, but 
requires 2 nics on your box and you need to bond interfaces using your OS.
         4) buy a managed switch. Easy, reliable, but can be pricey (a few 
hundred dollars at least)

More information about the Snort-users mailing list