Thank you, but I did resolve the issue. I had a port setup for monitoring,
it mirrored the ports that I wanted to monitor. What we did not realise is
that it was setup to monitor in one direction only. i.e we were monitoring
traffic going out of the mirrored ports, what we needed is to monitor
traffic coming into the mirrored ports.

Andrew Zielinski
----- Forwarded by Andrew Zielinski/IT Corp/BBBY on 03/12/2001 08:49 AM
-----
                                                                                                              
                    Brian Little
                    <winzighome.com> To:
                    Sent by: cc: snort-users
                    snort-users-adminlists.sourc <snort-userslists.sourceforge.net>
                    eforge.net Subject: Re: [Snort-users] [Fwd: Snort on a
                                                         switched network ?]
                                                                                                              
                    03/12/2001 08:22 AM
                    Please respond to winzig
                                                                                                              
                                                                                                              

Typically, you won't be able to view all of the network traffic on any
given port of a Switch. Unless, the port that you are connected to is
enabled as a monitoring port. Hence the name Switch. The switch keeps an
ARP table of all of the hosts that are attached directly to it on the
wire. It then will only pass/switch packets to it's hosts that it is
responsilble for.

This is a crude explanation but hopefully it helps.

--Brian

Martin Roesch wrote:
>
> --
> Martin Roesch
> roeschmd.prestige.net
> http://www.snort.org
>
>
------------------------------------------------------------------------
>
> Subject: Snort on a switched network ?
> Date: Wed, 7 Mar 2001 15:37:53 -0500
> From: Andrew.Zielinskibedbath.com
> To: snort-users-adminlists.sourceforge.net
>
> I'm running Snort on a switched network, previously I tested it on a net
> with a dumb hub and it worked fine. On the switched net, which is a DMZ
> Rail, I'm mirroring all the port. Problem is I only seem to be getting
all
> the traffic coming out of the mirrored port, which I don't care about.
I'm
> not picking up traffic going into the ports, has anyone ever seen this
> problem?
>
> Andrew Zielinski

--
Regards,
Brian Little
winzighome.com http://members.home.com/winzig
IM winzig40
"The best way to destroy an enemy is to make him your friend." Abe
Lincoln
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]