IDS mailing list archives

Re: about mirroring port

From: Karel Chwistek <karel.chwistek () i cz>
Date: Thu, 20 Mar 2003 09:28:25 +0100

SB CH wrote:


hello, all.

I would like to setup ids(like snort) at mirroring port in cisco
catalyst switch.
but all of the network traffic is over 100M, and my linux server which
installs snort is not so good hardware.

So I think that when I setup snort at mirroring port, all traffic
should via linux server so the network speed would be slow


I don't mean so ... coz mirroring port is used just for traffic analysis
... so it should not slow down speed of your network ...



Question.

1. when I setup the mirroring port,all traffic(for example, port2
traffic) would transfer like this or just copy the traffic mirroring
port too?

(1) client --> mirroring port1 --> port 2 (2) client --> port 2
--> mirroring port (copy too)


it will just copy the traffic to mirroring port too


2. Is there any problem when I set snort at mirroring port if the
traffic is so high(over 100~200M)?


it is depending on speed of you machine where you have installed snort



3. do you know any commands to setup mirroring port at catalyst
400x(catos based) switch?


Switch(config)# monitor session 1 source interface fa2/3

for monitoring full traffic from/to fasteethernet 2/3 or

Switch(config)# monitor session 1 source interface fa2/3 rx
Switch(config)# monitor session 1 source interface fa2/2 tx

for monitoring traffic comming from interface fa2/3 or outgoing by
interface fa2/2
port where do you want to see this traffic is configured by command

Switch(config)# monitor session 1 destination interface fastethernet 5/48

You must remember that the destignation port is then used only
monitoring not for communication !!

For more informations look at
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_13/config/span.pdf

K.Ch.


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

Current thread:

about mirroring port SB CH (Mar 18)
- Re: about mirroring port nate (Mar 18)
- RE: about mirroring port Rob Shein (Mar 18)
- Re: about mirroring port Karel Chwistek (Mar 23)
- <Possible follow-ups>
- Re: about mirroring port Joe Magee (Mar 23)
  - Re: about mirroring port Dejan Markovic (Mar 26)
- RE: about mirroring port David Vertie (Mar 23)