Snort mailing list archives
Re: Cisco Catalyst - SNORT
From: Rich Adamson <radamson () routers com>
Date: Fri, 27 Jun 2003 08:03:27 -0600
But wait, it gets better. Imagine having to copy that many frames from an ordinary switch port to a SPAN port. Two point eight million frames per second! I'm sure some Ethernet switches mirror traffic very well, but upon further investigation I believe it would be stretching the truth to say there is no performance degradation in doing so.I'm not saying the switch works this way but if the packets are on a bus and configuring a span port just means telling the port to grab anything on the bus, it would seem there would be no performance hit.
We're probably getting off-topic here a little, but the manner in which port mirroring functions is highly dependent upon the exact ethernet chip set being used within each switch and the OEM software engineer in how the mirroring function was handled in their software. Most current switches have either 8 or 16 port chip sets. Mirroring from port 1 to 7 will be done within the chip set at wire speeds, where mirroring from 1 to 24, or 1/1 to 5/39 may be subjected to different circuit board paths (including backplanes in some cases) that may have other limitations. Someone is likely to say that Cisco's mirroring (as an example only) functions at wire speeds even on gig ports, when in fact their experience involved other unknown conditions (such as port 1 to port 4 on the same chip set) for which they have little/no real knowledge. I don't know of any recent switch that actually does port mirroring using the mgmt processor. For the most part, the mgmt processors in current use are very slow and are only used to control functions that are mostly implemented in the other on-board chips. One cannot characterize the functions by vendor either. 3Com, as one example only, may purchase 10,000 switches manufacturered by one Asian company and the next 10,000 from another manufacturer. They both look the same on the outside and have the same front panel model number, but the motherboard (and chip sets) may be different. Typically they add something like -002 onto the detailed model number. The mirroring function could be implemented differently, and may exhibit entirely different mirroring characteristics or efficiencies (dropped packets) between what is perceived as the same model of two switches. It's also been common practice for many well-known US manufacturers to simply purchase pre-engineered / pre-manufacturered switches from another company (particularily in the under $1500 boxes) for which the well-known company has no software/hardware engineering responsibilities. It's pretty easy to spot those as the well-known company's name is not etched on the circuit board. (SMC happens to be the US recognized parent name that is producing a fair number of boxes with other brand names on the front panel.) For those that might have an interest, rip the cover off your favorite switch and note the manufacturer's name and part number for the ethernet chip sets. Usuaually, they are the larger chips and the number of switch ports divided by the number of larger chips will tell you how many ports / chip. Then go to that chip manufacturer's web site and check out the specs. You're likely to be very surprised at the hugh functionality that's in them but not taken advantage of by the OEM switch vendor. Many of those specs will note mirroring functions operate at wire speeds (at least when mirroring within the chip). There are many switches on the market today that will do wire speed mirroring on adjacent gig ports, but may drop packets between ports on different chip sets or differnet blades. In any case, the engineering of the snort machine (internal buss speeds, etc) will be more of a limiting factor then will the mirroring functions of the switch. Rich ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
- Re: Cisco Catalyst - SNORT Scott Fringer (Jun 23)
- <Possible follow-ups>
- RE: Cisco Catalyst - SNORT Falvo, Jose Luis - (Arg) (Jun 23)
- RE: Cisco Catalyst - SNORT Tinsley Paul (Jun 23)
- RE: Cisco Catalyst - SNORT twig les (Jun 23)
- RE: Cisco Catalyst - SNORT shannong (Jun 24)
- RE: Cisco Catalyst - SNORT Jeff Nathan (Jun 26)
- snort + 802.11 management frames ... Jon Baer (Jun 26)
- Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
- Re: Cisco Catalyst - SNORT Rich Adamson (Jun 27)
- Re[2]: Cisco Catalyst - SNORT Lukasz Bromirski (Jun 27)
- Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
- Foundry performance? (was "Re: Cisco Catalyst - SNORT") twig les (Jun 27)
- Re: Foundry performance? (was "Re: Cisco Catalyst - SNORT") Roy S. Rapoport (Jun 28)
- OT: Re: Foundry performance? Chris Green (Jun 30)
- RE: Cisco Catalyst - SNORT twig les (Jun 23)
- Re: Cisco Catalyst - SNORT Javier Liendo (Jun 23)
- Re: Cisco Catalyst - SNORT Gary Flynn (Jun 27)
- Re: Cisco Catalyst - SNORT Jeff Nathan (Jun 27)
- RE: Cisco Catalyst - SNORT Mike Feetham (Jun 27)