RE: Hub vs. Tap vs. SpanPort

From: Rob Shein (shoten@starpower.net)
Date: 10/02/02 

From: "Rob Shein" <shoten@starpower.net>
To: "'Orlando Diaz,TRI'" <ODiaz@tricom.com.do>, <jef@linuxbe.org>, <focus-ids@securityfocus.com>
Date: Wed, 2 Oct 2002 16:16:22 -0400

Yes, but if you really think about it, all you need to span are the RX.
That way you avoid the problem listed in Cisco's page here:
http://www.cisco.com/warp/public/473/41.html#perf2. And if you think
about it, with IDS all you're interested in is the RX anyways; even if
the attack originates from your system(s), it'll end up being in RX on
another port even before going out to the internet...

-----Original Message-----
From: Orlando Diaz,TRI [mailto:ODiaz@tricom.com.do]
Sent: Wednesday, October 02, 2002 3:23 PM
To: Rob Shein; jef@linuxbe.org; focus-ids@securityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort

When you span TX and RX to a port you cause a coalition on the
mirroring.

About unplugging cables i was confused, i was thinking in other stuff.

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Wednesday, October 02, 2002 2:25 PM
To: 'Orlando Diaz,TRI'; jef@linuxbe.org; focus-ids@securityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort

How do SPAN ports cause broadcast messages? As I know it in Cisco-land,
they're only capable of showing traffic, not receiving it. And how do
they cause network performance problems (assuming the switch isn't
overloaded on processing to begin with)?

And I don't see how changing an IDS wouldn't require unplugging cables
with a tap any less than it would with a switch...

-----Original Message-----
From: Orlando Diaz,TRI [mailto:ODiaz@tricom.com.do]
Sent: Wednesday, October 02, 2002 11:33 AM
To: jef@linuxbe.org; focus-ids@securityfocus.com
Subject: RE: Hub vs. Tap vs. SpanPort

I don't agree.
SpanPort cause a lot of broadcast messages and reduce network
performance. And(of course) you need an available port to span to. Tap's
give you a way to monitor the traffic without interrupt the network, you
don't need to unplug cables and disconnect the switch or servers anytime
you want to use a different sniffer or IDS; and tap's dont affect
network performance and are fault tolerant.

And like you say HUB's are a problem.

-----Original Message-----
From: Jean-Francois Dive [mailto:jef@linuxbe.org]
Sent: Tuesday, October 01, 2002 6:34 PM
To: focus-ids@securityfocus.com
Subject: Re: Hub vs. Tap vs. SpanPort

Hub: the most easy bit, but does not fit in most environement due to the

lack of hub , adding one beeing somehow seen as a problem (hardware
quality, etc..etc..).

Tap: An easy way to the do, but may be expensive in certain case and may
need a shutdown of the network when setting up and is not very easy to
move, change the traffic beeing monitored.

SpanPort: clearly the most easy and flexible solution, but need to be
used smoothly as it could kill your switch.It however give you the great
possibility to change the traffic beeing monitored.
(tip: on a cisco catalyst, use spanport and set the port as a trunk: you
have the vlan tags on the packet as well, which is cool for traffic
repartition and analysis, this at least used to work on a 5500 when i
tested it a year ago).

Jochen Vogel wrote:
> hi,
>
> what are the pros and cons between capturing on an Hub, Tap or
> SpanPort?
>
> thx for infos
> Jo
>

#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################

#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################

Relevant Pages

  • RE: Hub vs. Tap vs. SpanPort
    ... When you span TX and RX to a port you cause a coalition on the mirroring. ... Hub vs. Tap vs. SpanPort ... with a tap any less than it would with a switch... ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... with a tap any less than it would with a switch... ... Hub vs. Tap vs. SpanPort ... SpanPort cause a lot of broadcast messages and reduce network ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... If you are using Cisco gear, skip both methods and use VACLs and capture ports. ... If you are using copper taps, anytime the tap loses power the traffic drops for about 5 seconds....Fiber it doesn't matter. ... Hub vs. Tap vs. SpanPort ... SpanPort cause a lot of broadcast messages and reduce network performance. ...
    (Focus-IDS)
  • Re: Hub vs. Tap vs. SpanPort
    ... > SpanPort cause a lot of broadcast messages and reduce network performance. ... > Andyou need an available port to span to. ... > Hub: the most easy bit, but does not fit in most environement due to the ...
    (Focus-IDS)
  • Re: Hub vs. Tap vs. SpanPort
    ... Hub: the most easy bit, but does not fit in most environement due to the ... SpanPort: clearly the most easy and flexible solution, ... > what are the pros and cons between capturing on an Hub, Tap or SpanPort? ...
    (Focus-IDS)
Quantcast