Snort mailing list archives
Re: [fw-wiz] Sniffing on switched network
From: Roelof JT Jonkman <roel () SiliconDefense com>
Date: Wed, 09 Jan 2002 12:27:21 -0800
Pierre, .. snip
As far as the Suparstack are concerned, it seems it can only to this for one port (and not for all ports of the switch), and the "monitored" port and the "analyzing" one must be on the same physical switch.
.. snip Correct, you can only tie the 'Roving Analysis Port' (3com speak for port mirroring) to one port, and not the backplane. The solution is to make sure you pick the port that is the egress/ingress of the switch, so you see all the traffic that is coming and going, however your situation is far more complicated due to the stacking, and as such you can really only observe the ingress/egress of the entire stack.
Has anyone of you met this kind of need/switches config ? How did you solve it (other than changing switches to hub, which could be done in a last resort but I would prefer not to touch the physical components if possible) ? Thanks,
The best solution is to tie the Roving Analysis Port to the port that uplinks to the router/firewall, that way you catch any of the traffic that is inbound/outbound at least. Another slight variation is to break the stack, and use a regular 100BaseT connection between the two sub stacks, and tie the roving analysis port to that. (Segregate the systems that you want to monitor specifically with respect to the systems on the other stack.) Another thing on these boxes is to keep firmware up to date, they have quite a few quirks, particularly with regard to Multicast traffic. Hope this helps you a little..... Roel Jonkman http://www.SiliconDefense.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [fw-wiz] Sniffing on switched network Roelof JT Jonkman (Jan 09)