Using Ethereal or Snort on a Switched Network

Posted on 2006-03-22
Last Modified: 2011-08-18
Hi Guys!
Hope you can help.

Id like to set up snort on our switched network at work but I believe Im only getting packets coming to/from my machine when I set it up on my pc plus broadcast and multicast packets.

Ive read that if you have switches that support port mirroring (or as Cisco calls it, SPAN), that this is possible.

If I plugged my pc into a port that was set up for port mirroring (SPAN),

1) do all of our switches have to support port mirroring?
2) where would be the best place (we have heaps of switches) to configure this port mirroring and how would i add all ports from all switches to replicate traffic to this port so I could then sniff the wire?
3) how would you set up sniffing with snort to trap all packets from different subnets?

I know this is a lot...any help appreciated.

Thank you.

Question by:Simon336697
    LVL 32

    Accepted Solution

    You want to put the snort onto the outgoing to port; lets assume this is your network;

    Internet-----Device-----------Switch1---------------------More switches

       You see that the switch1 and Device is connected and through which all the traffic from your network and internet will happen. So what I would do is to mirror that particular port.

    You don't have to worry about different subnets. It just sniffs and only does a pattern matching and there is no routing involved here.

    LVL 6

    Assisted Solution

    if your switches don't support port mirroring, you could also use ARP poisoning, but it's kinda dangerous to do it all the time... do you need to monitor a specific host for just a small amount of time?? if you do, you can use Cain's ( to do ARP poisoning

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now