Snort mailing list archives
Re: [Snort-Users] Is it really a HUB?
From: "Finney Charles E" <FinneyCharlesE () JohnDeere com>
Date: Wed, 26 Nov 2003 13:50:35 -0600
If it is really autosensing port speed it is a multiport bridge (switch?). If it is a single speed device with shared bandwidth across all active ports it is a repeater (hub?). I have no idea where the terms hub and switch fit into the IEEE 802.x standards, I suspect about the same place telco switches and marketing fit. Thanks, Charlie
Message: 10 From: "Petriz, Pablo" <ppetriz () siscat com ar> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Cc: "'ktk () enterprise bidmc harvard edu'" <ktk () enterprise bidmc harvard edu>, "'dluff () iitscdm com au'" <dluff () iitscdm com au> Subject: Re: [Snort-users] Is it really a HUB? Date: Wed, 26 Nov 2003 14:57:22 -0300 I want to know if someone on this list is using the Cisco 1538 Micro Hub for snorting. In the overview pdf of this product says: - Autosensing on all ports allows automatic configuration for either 10BaseT or 100BaseT connections. - Built-in high-speed bridge function automatically connects 10BaseT and 100BaseT workstations without an external switch or router. - Embedded switch supports store-and-forward switching and filtering and forwarding rate at full-wire speed. So i don't know if snort will see all the traffic on it... Thanks, PABLODate: Wed, 29 Oct 2003 15:42:00 -0500 From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu> To: snort-users () lists sourceforge net CC: Darryl Luff <dluff () iitscdm com au> Subject: Re: [Snort-users] Is it really a HUB? Darryl Luff wrote:It works as you say. Except that if your station never transmits anything, the switch will not learn your MAC, and will flood all traffic addressed TO YOU out all ports. [snip]Thanks... Right, that was the very thought that hit me in the head the other night as I pondered the issues further. The router with the spanned port talks to a small handful of other routers; the only MAC addresses seen coming in to the hub from that port will therefore be those of the other routers, all of which will make their way into the hub's MAC table. Thus, within a few seconds or so, the small hub will not send anything to the IDS because it knows that the source and destination MACs all reside on the port connected to the router's spanned port; ergo, there is no need to copy the packets to any of its (the hub's) other ports. Bugger. I guess I need to find somebody that makes a small 4-port switch where one can configure a port as a promiscuous listening interface. Kris
--__--__-- Message>: 11 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-Users] Is it really a HUB? Finney Charles E (Nov 26)
- Re: [Snort-Users] Is it really a HUB? kenw (Nov 28)
- OT but security related - world wide VPN /dev/null (Nov 28)
- Re: [Snort-Users] Is it really a HUB? kenw (Nov 28)