Snort mailing list archives

RE: Span/Snoop ports...

From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 18 Mar 2005 14:55:57 -0500

Marc Hering wrote:

If I configured the port as a dot1q trunk would Snort understand that
traffic?    I need to mirror 2 switchs that are trunked together so I
can grab all the traffic.....


Hi Marc,

Exactly what do you want to capture?  If you monitor the trunk port
you will only see traffic passed between hosts on physically separate
switches.  Two hosts on the same physical switch will not pass any
traffic between them onto the trunk line.

Monitoring all of the traffic passing between hosts on the same
physical switch becomes more difficult as you increase the number of
active ports and their utilized bandwidth.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Span/Snoop ports... Marc Hering (Mar 18)
- Re: Span/Snoop ports... Paul Halliday (Mar 18)
- Re: Span/Snoop ports... Ulric Eriksson (Mar 18)
  - RE: Span/Snoop ports... Lee Clemens (Mar 18)
- Re: Span/Snoop ports... Skip Carter (Mar 18)
- <Possible follow-ups>
- RE: Span/Snoop ports... Richard Bejtlich (Mar 18)
- RE: Span/Snoop ports... Snort (Mar 21)