Snort mailing list archives
Re: Is it really a HUB?
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Wed, 29 Oct 2003 15:42:00 -0500
Darryl Luff wrote:
It works as you say. Except that if your station never transmits anything, the switch will not learn your MAC, and will flood all traffic addressed TO YOU out all ports. [snip]
Thanks...Right, that was the very thought that hit me in the head the other night as I pondered the issues further. The router with the spanned port talks to a small handful of other routers; the only MAC addresses seen coming in to the hub from that port will therefore be those of the other routers, all of which will make their way into the hub's MAC table. Thus, within a few seconds or so, the small hub will not send anything to the IDS because it knows that the source and destination MACs all reside on the port connected to the router's spanned port; ergo, there is no need to copy the packets to any of its (the hub's) other ports. Bugger. I guess I need to find somebody that makes a small 4-port switch where one can configure a port as a promiscuous listening interface.
Kris ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is it really a HUB? Petriz, Pablo (Oct 24)
- Re: Is it really a HUB? Craig Paterson (Oct 24)
- Re: Is it really a HUB? Jason Haar (Oct 25)
- Re: Is it really a HUB? Rich Adamson (Oct 25)
- Re: Is it really a HUB? Mike Cojocea (Oct 27)
- Re: Is it really a HUB? Jason Haar (Oct 25)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 27)
- <Possible follow-ups>
- Re: Is it really a HUB? Marc Quibell (Oct 28)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 28)
- Re: Is it really a HUB? Darryl Luff (Oct 28)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 29)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 28)
- Re: Is it really a HUB? Craig Paterson (Oct 24)
- Re: Is it really a HUB? Marc Quibell (Oct 28)
- RE: Is it really a HUB? Potts, Ross A. (Oct 29)
- Re: Is it really a HUB? Petriz, Pablo (Nov 26)
- Re: Is it really a HUB? Matt Kettler (Nov 26)
- Re: Is it really a HUB? kenw (Nov 27)
- Re: Is it really a HUB? Matt Kettler (Nov 28)
- Re: Is it really a HUB? kenw (Nov 28)
- Re: Is it really a HUB? Matt Kettler (Nov 28)
- Re: Is it really a HUB? kenw (Nov 28)
- Re: Is it really a HUB? Matt Kettler (Nov 26)