RE: Ethernet tap vs. spanned port

From: Adam Powers (apowers@lancope.com)
Date: 08/08/02

• Previous message: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
• Maybe in reply to: Kyle Ginney: "Ethernet tap vs. spanned port"
• Next in thread: Chan Kien Eng: "RE: Ethernet tap vs. spanned port"
• Next in thread: Adam Powers: "RE: Ethernet tap vs. spanned port"
• Reply: Chan Kien Eng: "RE: Ethernet tap vs. spanned port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 8 Aug 2002 12:13:11 -0400
From: "Adam Powers" <apowers@lancope.com>
To: <brian.laing@blade-software.com>, "Kyle Ginney" <kyleginney@boydgaming.com>, <focus-ids@securityfocus.com>

It's also important to understand that Cisco's SPAN implementation ONLY
mirrors valid Ethernet frames. If the frame is broken in any way that
would prevent it from being switched by the switch engine, it will not
be replicated to the destination SPAN port.

SNMP traps and passive delta based error rate monitoring of the switch
fabric and associated ports in question is one solution.

An incredibly detailed and relatively useful doc is here:
http://www.cisco.com/warp/public/473/41.html

-Adam P.

-----Original Message-----
From: Brian Laing [mailto:Brian.Laing@Blade-Software.com]
Sent: Wednesday, August 07, 2002 10:09 AM
To: 'Kyle Ginney'; focus-ids@securityfocus.com
Subject: RE: Ethernet tap vs. spanned port

Kyle,
        I believe what you are facing is that taps typically have 2
outputs, each one has half the connection. If you are seeing the
attacks with snort but not with etrust it could be that snort does not
require the full connection for those events you are trying to capture.
I have written a document on this, if you would like email me off list
and I will forward it to you. Additionally feel free to call me and we
can discuss.

Brian

-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------

-----Original Message-----
From: Kyle Ginney [mailto:kyleginney@boydgaming.com]
Sent: Tuesday, August 06, 2002 9:39 AM
To: focus-ids@securityfocus.com
Subject: Ethernet tap vs. spanned port

My company is in the process of evaluating IDS technologies. I have set
up

a SNORT IDS running on RedHat 7.3 on a Finisar Systems UTP Ethernet tap
as

a baseline to compare the other IDS vendor offerings we bring in. I

previously had the SNORT box on a spanned port on a Cisco 3500 switch.

Doing a comparison before and after the move to the tap, I noticed that

the SNORT sensor picked up more traffic on the tap, so I concluded that

the tap was the better method.

My problem arose recently when we were testing the eTrust IDS from CA.

Their product only runs on Windows, so I installed it on a Win2K server

and connected a monitoring port to another port on the same Ethernet
tap.

I then had both IDS running off of the same Ethernet tap with the

monitoring port on both boxes running in stealth mode. When we looked at

the data on the eTrust server, it was only capturing the packet headers
-

no data. When their techs called home, they were informed that this was
a

problem originating at the tap and we should move the monitoring port to
a

spanned port. When we did this, their sensor picked up the full packet

payload.

From what I can tell, the SNORT sensor is picking up the full packet. Is

this problem related to the Windows OS? Why can I capture the entire

packet from the tap with Sniffer on Win2K and their product cannot? Is

this problem specific to the eTrust server from CA or has anyone else

experienced this anomaly with other products?

---

• Previous message: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
• Maybe in reply to: Kyle Ginney: "Ethernet tap vs. spanned port"
• Next in thread: Chan Kien Eng: "RE: Ethernet tap vs. spanned port"
• Next in thread: Adam Powers: "RE: Ethernet tap vs. spanned port"
• Reply: Chan Kien Eng: "RE: Ethernet tap vs. spanned port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Ethernet tap vs. spanned port ... attacks with snort but not with etrust it could be that snort does not ... Ethernet tap vs. spanned port ... previously had the SNORT box on a spanned port on a Cisco 3500 switch. ... the data on the eTrust server, it was only capturing the packet headers ... (Focus-IDS) Re: Ethernet tap vs. spanned port ... I think part of the problem may be the way you've setup the tap. ... limitation of a SPAN port. ... outputs from your tap) to your snort or CA box, ... >>My company is in the process of evaluating IDS technologies. ... (Focus-IDS) Very Slow v440 100 Meg Network Interface ce0 ... seeing loads of runts on the Cisco switch between source and v440 ... Port AuxiliaryVlan AuxVlan-Status InlinePowered PowerAllocated ... I am aware that runts are "<64 bit ethernet packets that are too short ... packets errs packets errs colls packets errs packets errs colls ... (SunManagers) Re: Connecting Vortex86 - 6072 ... shouldn't be *required* to do it to get a KITL connection working. ... I guess I will have to setup an Ethernet connection to the board... ... configured to do that, hence, no download of OS image or anything else. ... Turning on KITL and setting the port to the same port as where ... (microsoft.public.windowsce.platbuilder) Re: TAP location ... progressing onto the ISS document. ... If you have any further questions concerning tap implementation, ... > I am working on a new hotel/congress setup and I need to install 3 IDS ... > port to a consolidated switch to witch I will attach the sniffing port of ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-08