Typically, you won't be able to view all of the network traffic on any
given port of a Switch. Unless, the port that you are connected to is
enabled as a monitoring port. Hence the name Switch. The switch keeps an
ARP table of all of the hosts that are attached directly to it on the
wire. It then will only pass/switch packets to it's hosts that it is
responsilble for.

This is a crude explanation but hopefully it helps.

--Brian

Martin Roesch wrote:
>
> --
> Martin Roesch
> roeschmd.prestige.net
> http://www.snort.org
>
> ------------------------------------------------------------------------
>
> Subject: Snort on a switched network ?
> Date: Wed, 7 Mar 2001 15:37:53 -0500
> From: Andrew.Zielinskibedbath.com
> To: snort-users-adminlists.sourceforge.net
>
> I'm running Snort on a switched network, previously I tested it on a net
> with a dumb hub and it worked fine. On the switched net, which is a DMZ
> Rail, I'm mirroring all the port. Problem is I only seem to be getting all
> the traffic coming out of the mirrored port, which I don't care about. I'm
> not picking up traffic going into the ports, has anyone ever seen this
> problem?
>
> Andrew Zielinski

-- 
Regards,
Brian Little
winzighome.com http://members.home.com/winzig 
IM winzig40
"The best way to destroy an enemy is to make him your friend." Abe
Lincoln
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]