RE: Is it really a HUB?

[<bmcdowell () coxhealthplans com>]

I wonder if perhaps there's a business opportunity here, or perhaps
simply an existing piece of hardware that would help deal with these
problems.

Imagine a tap/hub/whatever that one might plug into both the 10mbit and
100mbit 'sides' of such a device, and then deliver that combined
'signal' to a single ethernet port.  Or, potentially, combining the span
ports of two or more managed switches into a single 'signal feed'.

One could show up onsite, plug in the 'feed device' into one or more
ports on one or more devices and sniff away...

Just a random thought,


Bob

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
kenw () kmsi net
Sent: Friday, November 28, 2003 2:17 PM
To: Matt Kettler
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Is it really a HUB?


On Fri, 28 Nov 2003 14:06:01 -0500, you wrote:

> At 11:31 PM 11/27/2003, kenw () kmsi net wrote:
> > > The problem is that the actual implementation may have more
switching
> > > behavior than advertized.. all they've guaranteed is that the 10/100
> > > segments are bridged.. but that doesn't mean that the 100mbit ports
can't
> > > be fully switched with respect to each other too.
> >
> > According to Cisco's literature, these hubs provide "100-Mbps peak
> > aggregate throughput".  That implies no switching on the 100Mbps side.
>
>
> True, although they are free to give you more than advertised.
Implications 
> are not specifications.
>
> I've encountered at least one dual-speed hub, a netgear model, that
behaved 
> more like a switch than a hub between 100mbit ports. (I tried to hook a

> 100mbit/sec sniffer in between two 100mbit devices and saw nothing).
The 
> big difference is that it only supported half duplex, unlike most
switches.

Interesting.  I personally use a NetGear DS104 dual-speed hub, specially
purchased for such work.  I've never seen that behavior.  I do, though,
have to watch the port speed lights carefully, and hard-set the NIC
interface speed at times.

Vendor marketing types seem to see little harm in playing their usual
games
with terminology.  They're usually right, unfortunately.

> Basically all I was stating was that it *might* behave like a switch or
a 
> hub.. Despite the Cisco literature, I still see nothing in there that 
> solidly ensures hub-like behaviors between 100mbit ports. Thus, I still
say 
> that either behavior is possible.
>
> It could act like a hub, or a switch, and neither behavior is
guaranteed by 
> the spec.

True.  And it could even violate specs, for that matter (gee, that
_never_
happens ;-/ ).

The Principle of Least Amazement (aka Occam's Razor) would suggest that
an
auto-configuring sniffer NIC is the more likely culprit, and deserves
close
inspection.  But I would pay dearly for the ability to generate a
personal
No Wierd Sh*t Zone.

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw () kmsi net
www.kmsi.net


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users