[Snort-users] Span/Snoop ports...

Lee Clemens snort at ...13080...
Fri Mar 18 06:29:26 EST 2005

That particular switch does support port mirring, as per the www.cisco.com:

Redirection of traffic from any port to a "sniff" port. (Any switching port
can be designated as a "sniff" port.)

But that would only be a port at a time, so it depends what you want to
monitor...even with a tap, is it possible to view all traffic going through
and amidst the switch?? i.e. without building 24/48 taps for each
connection? (I realize one tap for the uplink, but that would only grab the
outgoing/incoming traffic and not the LAN traffic)

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ulric Eriksson
Sent: Friday, March 18, 2005 9:16 AM
To: Marc Hering
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Span/Snoop ports...

On Fri, 18 Mar 2005, Marc Hering wrote:

> Hey Guys,
> I just deployed a Snort box to one of our data centers...and I ran into
> a bit of a snafu.  We have a 2948G-L3 switch and want to snort on it.
> The problem is that a L3 switch doesn't suppprt a snoop port...Has
> anyone found a way around this?

Depending on the IOS version, you should be able to use the "port 
monitor" or "monitor session" commands.


SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list