[Snort-users] Span/Snoop ports...

Richard Bejtlich taosecurity at ...11827...
Fri Mar 18 11:57:24 EST 2005


Marc Hering wrote:

> If I configured the port as a dot1q trunk would Snort understand that
> traffic?    I need to mirror 2 switchs that are trunked together so I
> can grab all the traffic..... 

Hi Marc,

Exactly what do you want to capture?  If you monitor the trunk port
you will only see traffic passed between hosts on physically separate
switches.  Two hosts on the same physical switch will not pass any
traffic between them onto the trunk line.

Monitoring all of the traffic passing between hosts on the same
physical switch becomes more difficult as you increase the number of
active ports and their utilized bandwidth.

Sincerely,

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list