Snort mailing list archives
Re: To hub or not to hub
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Mon, 06 Jan 2003 18:34:37 -0500
In general if your network bandwidth at the point you are inserting a hub is low compared to the bandwidth of the hub, don't worry about it and use a hub. Good examples include monitoring a cable modem, residential DSL, or simple T1.
As far as what's "low", I'd say no more than 35% of the hub's bandwidth total. So for 1.536mbit/sec T1 line, which is 3.072mbit/sec when you count both directions, using a cheapo 10mbit hub inline is not a significant performance issue because that's only 30% of the hub's total bandwidth. Yes, it will add a tiny bit of latency due to the occasional collision, but if you're using under 35% of the bandwidth of the hub the collision rate should be reasonably low. If small latency additions will hurt your network performance, use a significantly lower utilization limit as a rule of thumb, or use a spanning switch or a hardware tap.
I'll admit up front I'm currently violating my "low" rule of thumb a bit by having a maximum possible that would hit 40%, but generally the upstream and downstream aren't saturated at the same time here. Were the network line I'm monitoring here heavily used I'd want more breathing room.
Also make SURE all ports of the hub are operating at the same rate (ie: all 10, or all 100, absolutely never use an "auto-sensing hub" with mixed speeds and expect it to behave as a truly passive hub.. it will not, see the snort FAQ for more info).
At 03:58 PM 1/6/2003 -0600, Anthony Scott wrote:
Hi. I am going to initially deploy one Snort box on our network. I want to place it right after our firewall to detect anything getting through. We have an all switched environment and I do not want to do any spanning (at least initially). I read two documents on Snort's web site, one said a hub was fine, one said a hub was a bad idea. I like the idea because it would be easy to plug and unplug the snort box without disrupting traffic.I would also like to use the box for a sniffer, ala Ethereal. Thoughts, feelings, ideas? Thanks anthony scott ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- To hub or not to hub Anthony Scott (Jan 06)
- Re: To hub or not to hub Matt Kettler (Jan 06)
- Re: To hub or not to hub Javier Liendo (Jan 06)
- <Possible follow-ups>
- RE: To hub or not to hub Semerjian, Ohanes (Jan 06)
- Re: To hub or not to hub Anthony Scott (Jan 07)
- Re: To hub or not to hub Bob Staaf (Jan 07)
- Re: To hub or not to hub Scot Scot (Jan 07)