Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring)

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Wed, 8 Aug 2001 17:58:48 -0400
On Wed, Aug 08, 2001 at 03:47:24PM -0600, Rich Adamson wrote:




if you have a dual speed hub, and machines running both speeds (netcards
with 10 and 100),


The issue is not simply a speed of 10 vs 100. The issue is "solely"
one of...
  "has the box manufacturer, whether it is called a hub or a switch,
   installed any software that would limit forwarding of all traffic
   out each port?"

The sales (and some support) people can't even tell you for sure in
most cases.

Over the last several years doing network consulting work, we've seen
hubs from various well known manufacturers that have included some
functions to limit the transmission of packets to selected ports when
the source and destination MAC addresses are known. The function does
have a small beneficial impact on efficiency/throughput, but the 
function is a problem for snort and sniffers.

In fact, I have two identitical (old) 3Com Super Stack hubs in the lab 
that do not have any network management function built into them. One 
functions more like a switch (eg, snort and sniffers do not see all 
traffic from all ports), while the other one acts like a dumb hub.
There are many other examples as well.

If you really want to get deep into tech stuff, open the cover and find
the ethernet chip set used by the manufacturer. Go to that chip set
manufacturers web site and you're likely to find explanations. For
example, one well known chip set supports up to four physical ports. 
When data is moved from one port to another on the same chip set, other 
external ports residing on other chip sets within the same box will not 
"see" that traffic. Some of the "newer" chip sets actually operate at layer 
three, looking deeper into each packet, impacting snort and sniffers
from a somewhat different perspective.


All these are being considered as optimizations for better
throughput. From 100 hubs being purchased, maybe there is
even not 1% used for packet/frame sniffing. In these
circumstances where you want your snort box to be able
to sniff as much as it can, you should go and _explicitely_
ask for the dumbest available hub; they used to be the
cheapest too.

Ramin

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: