Snort mailing list archives
RE: Cisco Catalyst - SNORT
From: Jeff Nathan <jeff () snort org>
Date: Thu, 26 Jun 2003 18:21:20 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did some math to see for myself whether or not I would buy into the idea of there being no performance penalty. The inter-frame delay for gigabit Ethernet is 96 nanoseconds (10 ^ -9), or 0.000000096 seconds. The minimum frame data size in 802.3 is still 46 bytes, even though Alteon and others desperately want jumbo frames. Jumbo frames are meaningless in full-duplex operation, btw. What does an Ethernet frame REALLY look like? Like this: 7 byte preamble, 1 byte start of frame delimiter, 14 byte Ethernet header, data (if less than 46 bytes, padding is used), padding (to bring frame data up to 46 bytes), 4 byte CRC. 1 gigabit = 1 billion bits per second, or 125 million bytes per second. 125 million * 0.000000096 = 12 bytes (tada! the same as 10 Mb/sec and 100Mb/sec ) Let's all this all up: (this format is borrowed from Gorry Fairhurst) http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/enet-calc.htm Inter frame gap (96 nanoseconds): 12 bytes Mac Preamble + SFD: 8 bytes Ethernet Header: 14 bytes Minimum data size: 46 bytes CRC: 4 bytes - ------------------------------------------- Total: 84 bytes Data rate (1 billion bits/sec) / total frame size (bits) 1000000000 / (84 * 8) = 1488095 One point four million frames per second... that's a whole lotta frames. But wait, it gets better. Imagine having to copy that many frames from an ordinary switch port to a SPAN port. Two point eight million frames per second! I'm sure some Ethernet switches mirror traffic very well, but upon further investigation I believe it would be stretching the truth to say there is no performance degradation in doing so. - -Jeff - --On Monday, June 23, 2003 10:35 -0500 Tinsley Paul <Paul.Tinsley () HCAhealthcare com> wrote:
I recently asked this question of Cisco in reference to vlan mirroring to a gig fiber port on a 6509 and they said there should be no performance degredation as it's all done "in hardware." -----Original Message----- From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo () attla com] Sent: Monday, June 23, 2003 10:15 AM To: 'javier () liendo net' Cc: 'Snort-users () lists sourceforge net'; Rochas, Esteban - (Ext Arg) Subject: RE: [Snort-users] Cisco Catalyst - SNORT Thanks Javier, Could will be any performance problem configuring SPAN port in a switch with high traffic ? Regards, jose -----Mensaje original----- De: Javier Liendo [mailto:javier () liendo net] Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m. Para: Falvo, Jose Luis - (Arg); 'Snort-users () lists sourceforge net' Asunto: Re: [Snort-users] Cisco Catalyst - SNORT hello jose you'll have to configure the switch port where you are plugging the snort device as a "span" port... pls take a look at the following link to see how you can configure it on a 6000 series catalyst switch... http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfi g/s pan.htm also in my experience, if you configure a switch port as span then you can not pass any management traffic through that port so you will have to add another network card and plug it to another switch port if you want to manage this device remotely... saludos javier --- "Falvo, Jose Luis - (Arg)" <Jose.Falvo () attla com> wrote:Hi All, I'm probing Snort in our network. Snort was installed and its run correctly. Our problem is that snort only listen packet unicast to snort IP or any broadcast packet of VLAN where its was connected. Questions is: In a Cisco Catalyst 8540 or Calalyst 6509, which is configuration port for SNORT listen all packet of the VLAN? Regards and thanks, Jose Luis Falvo Dpto. Ingeniería AT&T Latin America Tel. (54 11) 5288-0182 Olga Cosentini 1031 - Cap Fed Buenos Aires - Argentina Este mensaje es confidencial. El mismo contiene información reservada y que no puede ser difundida. Si usted ha recibido este e-mail por error, por favor avísenos inmediatamente vía e-mail y tenga la amabilidad de eliminarlo de su sistema; no deberá copiar el mensaje ni divulgar su contenido a ninguna persona. Muchas gracias. This message is confidential. It contains information that is privileged and legally exempt from disclosure. If you have received this e-mail by mistake, please let us know immediately by e-mail and delete it from your system; you should also not copy the message nor disclose its contents to anyone. Thank You.-------------------------------------------------------This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users Este mensaje es confidencial. El mismo contiene información reservada y que no puede ser difundida. Si usted ha recibido este e-mail por error, por favor avísenos inmediatamente vía e-mail y tenga la amabilidad de eliminarlo de su sistema; no deberá copiar el mensaje ni divulgar su contenido a ninguna persona. Muchas gracias. This message is confidential. It contains information that is privileged and legally exempt from disclosure. If you have received this e-mail by mistake, please let us know immediately by e-mail and delete it from your system; you should also not copy the message nor disclose its contents to anyone. Thank You. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD4DBQE++5wQEqr8+Gkj0/0RArFZAJdxctcCOPoeP37FUvefEInFCoyAAJ9Jp2Tf 90b0FSH52u7nzgDraY9Osw== =thJq -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
- Re: Cisco Catalyst - SNORT Scott Fringer (Jun 23)
- <Possible follow-ups>
- RE: Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- RE: Cisco Catalyst - SNORT Tinsley Paul (Jun 23)
- RE: Cisco Catalyst - SNORT twig les (Jun 23)
- RE: Cisco Catalyst - SNORT shannong (Jun 24)
- RE: Cisco Catalyst - SNORT Jeff Nathan (Jun 26)
- snort + 802.11 management frames ... Jon Baer (Jun 26)
- Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
- Re: Cisco Catalyst - SNORT Rich Adamson (Jun 27)
- Re[2]: Cisco Catalyst - SNORT Lukasz Bromirski (Jun 27)
- Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
- Foundry performance? (was "Re: Cisco Catalyst - SNORT") twig les (Jun 27)
- Re: Foundry performance? (was "Re: Cisco Catalyst - SNORT") Roy S. Rapoport (Jun 28)
- OT: Re: Foundry performance? Chris Green (Jun 30)
- RE: Cisco Catalyst - SNORT twig les (Jun 23)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
- Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
- Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)