No subject


Thu Nov 23 16:36:19 EST 2017


single broadcast/collision domain.  You will not see ANY traffic between
segements without a bridge or layer3 route function between them.

In a switched environment, typically each port is a separate collision domain
but one big broadcast domain.  VLANs can be created in some to separate into
separate broadcast domains and some have built in layer 3 functionality which
basically connects a router into the backplane so that it can route between
vlans at wire speed.

Think of a switch as a bridge with many ports.  (that's what it is).   Some
switches support port mirroring or span ports.  When you want to "sniff"
frames in a switched environment (beyond just broadcast/multicast traffic) you
need to be able to "see" the unicast traffic (telnet,http for example).  You
set up a port to mirror traffic from the ports that have the devices your
interested in to the port you have your analysis device plugged into.  Without
doing so, you don't see the unicast conversations because the traffic is
getting "switched" accross the backplane so pc on port 1 talks to server on
port 2 and no other ports get this traffic. If server on port 2 broadcasts or
multicasts, the information is flooded out all ports.  (multicast can be
controlled on some switches so only those ports that have listening stations
get the traffic.  Not all switches have these capabilities.

Hope I didn't confuse the issue or miss the point.  An excellent book on the
topic is Interconnections by Radia Perlman. (Bridges and Routers).

Best Regards,

Jim Hankins
Systems Engineer
Cisco Systems

Franki wrote:

> if you have a dual speed hub, and machines running both speeds (netcards
> with 10 and 100),
>
> would it get around that if you had to nic in the snort machine on the
> network? one for 10 and one for 100?
>
> I just heard this and I am wondering if its something I need to worry about
> before rollin out snort...
>
> rgds
>
> Frank
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Dragos Ruiu
> Sent: Thursday, 9 August 2001 3:16 AM
> To: swilcoxon at ...1927...; lsmithjr at ...2789...;
> fhmiv at ...3027...
> Cc: snort-users at lists.sourceforge.net; snort-users at ...382...
> Subject: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE:
> [Snort-users] External snort monitoring)
>
> This _has_ to be put into the FAQ.
>
> Does anyone care to try penning/editing the conclusive,
> concise, and tutorial answer also explaining the
> operation of the hub that causes Snort/IDS problems...?
>
> cheers,
> --dr
>
> On Wed, 08 Aug 2001, swilcoxon at ...1927... wrote:
> > Dual speed hubs act like a switch between the two different speeds. If
> your
> > two machines are at different speeds you won't see the other traffic.
> >
> > S.W.
> >
> > > -----Original Message-----
> > > From: Larry E. Smith Jr. [mailto:lsmithjr at ...2789...]
> > > Sent: Wednesday, August 08, 2001 12:01 PM
> > > To: Frank McPherson
> > > Cc: Snort List (E-mail); Snort Users
> > > Subject: Re: [Snort-users] External snort monitoring
> > >
> > >
> > > It shows in the system log as going into promiscuous mode.
> > > and I called
> > > Linksys to verify that this is a hub and not a switch. and i
> > > do not need to
> > > set an IP for the sensor correct?
> > >
> > > ----- Original Message -----
> > > From: "Frank McPherson" <fhmiv at ...3027...>
> > > To: "Larry E. Smith Jr." <lsmithjr at ...2789...>
> > > Cc: "Snort List (E-mail)"
> > > <snort-users at lists.sourceforge.net>; "Snort Users"
> > > <snort-users at ...382...>
> > > Sent: Wednesday, August 08, 2001 12:11 PM
> > > Subject: Re: [Snort-users] External snort monitoring
> > >
> > >
> > >
> > > Two ideas:
> > >
> > > The ethernet interface on your external snort sensor is not in
> > > promiscuous mode;
> > >
> > > or
> > >
> > > your "hub" is really a switch.
> > >
> > > On Wednesday, August 8, 2001, at 11:12  AM, Larry E. Smith Jr. wrote:
> > >
> > > > I have my cable modem hooked into a Linksys 5 port hub and
> > > I also have
> > > > a snort sensor configured on the hub to catch all traffic
> > > coming to my
> > > > network. from the 5 port hub it connects into a Linksys
> > > router which is
> > > > where my server is located. my question is why can i catch
> > > traffic on
> > > > my internal snort sensor connected to the Linksys router,
> > > but all I can
> > > > see are ARP requests on the external snort sensor which is
> > > connected to
> > > > the hub? anyone have any ideas?
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> --
> Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the
> future
> gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Jim Hankins
http://www.hankinsbay.com
jhankins at ...2942...
810-716-8480







More information about the Snort-users mailing list