[Snort-users] Tap and Hub
taosecurity at ...11827...
Fri Mar 26 23:27:36 EDT 2010
On Wed, Mar 24, 2010 at 12:55 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
> Typically speaking, vendors referring to hubs these days are referring to switches. Just to double check and make sure I hadn't missed the last few years, I asked one of our CCNPs and he gave me a funny look when I asked him about gigabit hubs... so yeah, hubs only do 10 mb half-duplex. Actually, here I started to brainstorm what a gigabit hub's traffic would look like and, wow, talk about collision city...
> Anyways, yeah, go look at gigabit taps. A tap is going to copy at line-speed, any traffic going through it to the tapped ports and you won't have to worry about numerous issues such as collisions and exceeding the bandwidth of the device.
For what it's worth, you can't purchase a Gigabit hub.
You can purchase a 10/100 Mbps "hub." If you're fortunate enough to
get all of the connected interfaces to operate at 100 Mbps, and the
"hub" isn't really a switch, you can have half-duplex 100 Mbps
For monitoring traffic between devices connected to the same switch,
SPAN is probably your best bet (as mentioned earlier). Other options
include aggregator taps, matrix switches, and "data access switches"
(like Gigamon), but those are probably overkill.
More information about the Snort-users