Using Ethereal or Snort on a Switched Network

Hi Guys!
Hope you can help.

Id like to set up snort on our switched network at work but I believe Im only getting packets coming to/from my machine when I set it up on my pc plus broadcast and multicast packets.

Ive read that if you have switches that support port mirroring (or as Cisco calls it, SPAN), that this is possible.

If I plugged my pc into a port that was set up for port mirroring (SPAN),

1) do all of our switches have to support port mirroring?
2) where would be the best place (we have heaps of switches) to configure this port mirroring and how would i add all ports from all switches to replicate traffic to this port so I could then sniff the wire?
3) how would you set up sniffing with snort to trap all packets from different subnets?

I know this is a lot...any help appreciated.

Thank you.

Simon
LVL 1
Simon336697Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
You want to put the snort onto the outgoing to port; lets assume this is your network;


Internet-----Device-----------Switch1---------------------More switches

   You see that the switch1 and Device is connected and through which all the traffic from your network and internet will happen. So what I would do is to mirror that particular port.

You don't have to worry about different subnets. It just sniffs and only does a pattern matching and there is no routing involved here.

Cheers,
Rajesh

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marce_litoCommented:
if your switches don't support port mirroring, you could also use ARP poisoning, but it's kinda dangerous to do it all the time... do you need to monitor a specific host for just a small amount of time?? if you do, you can use Cain's (www.oxid.it) to do ARP poisoning
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.