[Snort-users] Can anyone recommend a small port-mirroring switch?

Martin Olsson elof at ...6680...
Wed Oct 6 11:47:05 EDT 2004


The reason to buy a small swith instead of bying a tap is that a switch
is much cheaper than a "single NIC tap".

It seems like you even can get a switch with one or two gigabit ports for
a low cost, then you should be able to mirror both directions of a 100Mbps
port  to a 1Gbps port without any problem (100M + 100M < 1G).

In Sweden, a "single NIC tap" costs 12000 SEK ($1700) while a small switch
costs ~ 2500 SEK ($350).

There you have your reason. :-)

The environment where this particular snort is to be located isn't
important enough to spend those extra $1350 for the tap.

/Martin



On Wed, 6 Oct 2004, Eric Hines wrote:
> Can you help me understand as to why you would purchase a switch capable of
> doing port mirroring? The reason people implement Taps most often than not
> is to eliminate the need to do port mirroring, which degrades the
> performance of your switch.
>
>
> [switch]--[tap]----[router]
>             |
>           [snort]
>
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> Applied Watch Technologies, Inc.
> http://www.appliedwatch.com
> Direct: (877) 262-7593 x327
> 1134 N. Main St.
> Algonquin, IL 60102
>
>
>
>
> -----Original Message-----
> From: Martin Olsson [mailto:elof at ...6680...]
> Sent: Wednesday, October 06, 2004 9:58 AM
> To: snort-users mailinglist
> Subject: [Snort-users] Can anyone recommend a small port-mirroring switch?
>
>
> Thanks for the responses to my previous mail.
>
>
> Ok, now I know of NetOptics taps, both the normal one that need a bond0 on
> my snort machine and the "Port Aggressor" model that let me sniff using a
> single NIC.
>
> If we continue on the single NIC approach... Could anyone recommend a small
> (and preferably cheap) switch that can mirror traffic?
>
> All I need is three 100Mbps ports really:
>
>   A----Switch----B
>          |
>        Snort
>
> (I know that A+B will never (or very seldom) total more than 100Mbps)
>
>
>
> I have only worked with "real" switches like Cisco Catalyst 3500, so I have
> no frame of reference as to where to begin looking. I don't want to buy
> cheap crappy stuff that overheat and die after a week.
>
> What switch brand and model should I take a look at?
>
> /Martin
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use
> IT products in your business? Tell us what you think of them. Give us Your
> Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list