Re: about mirroring port
From: Joe Magee (lists@joemagee.com)
Date: 03/20/03
- Previous message: Rob Shein: "RE: about mirroring port"
- Maybe in reply to: SB CH: "about mirroring port"
- Next in thread: Dejan Markovic: "Re: about mirroring port"
- Reply: Dejan Markovic: "Re: about mirroring port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Mar 2003 02:36:18 -0500 From: "Joe Magee" <lists@joemagee.com> To: <focus-ids@securityfocus.com>
>also keep in mind port mirroring on a switch for the most part isn't
>perfect. I've read many places over time that if the switch's CPU
>gets heavily loaded it will randomly drop packets on the mirrored
>ports. Higher end switches may work better. Also when talking to
>cisco a couple years ago, I was trying to do something similar,
In practice, some of the higher end switches yielded the same results.
>was trying to mirror ports that were uplinked to other switches,
>not directly connected to systems, and the switch(2900xl for me
>at the time) does not support mirroring in such a way(which was
>prooven to me by the lack of traffic on the mirrored ports),
>according to the cisco rep I talked to. not sure if higher end
>switches are differnet. I have a summit 48 here but haven't tried
>port mirroring on it.
For low bandwidth applications using a standard L2 switches "SPAN" port feature may work. For multiple simultaneous copies of traffic take a look at the Top Layer IDS Balancer. It's a very mature product. I used it in my previous jobs for doing both balancing, making multiple simultaneous copies of traffic, and splicing off applications.
For more on the topic check out: http://www.joemagee.com/filez/Why%20not%20use%20a%20switch.pdf
>> 1. when I setup the mirroring port,all traffic(for example, port2 traffic)
>> would transfer like this or just copy the traffic mirroring port too?
>>
>> (1) client --> mirroring port1 --> port 2
>> (2) client --> port 2
>> --> mirroring port (copy too)
>
>I think it usually just copies the traffic on the switch itself.
>
>>
>> 2. Is there any problem when I set snort at mirroring port if the traffic
>> is so high(over 100~200M)?
>
>depends on the traffic. my last employer I had 2 snort sensors on
>2 T1s averaging ~5% utilization. And running a full blown untuned snort
>got me more then 40,000 events per hour. Spending dozens of hours
>analyzing and tuning got it down to ~30 events/hour.
>
>
>> 3. do you know any commands to setup mirroring port at catalyst 400x(catos
>> based) switch?
>
>not off the top of my head, been a while since I tried port mirroring
>on a switch.
>
>nate
Joe Magee
http://www.joemagee.com
-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
- Previous message: Rob Shein: "RE: about mirroring port"
- Maybe in reply to: SB CH: "about mirroring port"
- Next in thread: Dejan Markovic: "Re: about mirroring port"
- Reply: Dejan Markovic: "Re: about mirroring port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
