TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Not only that, but if you're spanning traffic in+out of the source port then you've got up to 3x(2x100)=600 Mbps out on to a 100 Mbps wire. I'd be inclined to check your port stats for errors and dropped packets, plus whether you ARE spanning traffic in+out, and whilst you're at it whether you are spanning multicast traffic and whether you're allowing packets to be injected into the span (eg for realsecure kills). Also some switches can span by vlan in which case you'd need to check the vlan settings. James On Tue, 24 Apr 2001 08:43:47 -0400, "Laing, Brian (ISS Reading)" <[EMAIL PROTECTED]> wrote: > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! >---------------------------------------------------------------------------- > >If you are seeing traffic it is probably setup correctly. The problem with >span ports is more a case of overloading the port. For instance set span >12-14 1 would copy the traffic from 12,13,14 to port 1 obviously 300 mbps is >not going to go down a single 100 mbps. > >brian > > >------------------------------------------------------------------- >Brian Laing >Product Manager - Intrusion Detection Technologies >Internet Security Systems >UK Cellphone: +44 (0)771 264 5559 >US Cellphone: +1 404 391 0589 >UK Telephone: +44 (0)199 253 5918 >US Telephone: +1 404 236 2709 >US eFax: 208.575.1374 >Internet Security Systems -- The Power to Protect > >http://www.iss.net >------------------------------------------------------------------- > > -----Original Message----- >From: KDouble [mailto:[EMAIL PROTECTED]] >Sent: Friday, April 20, 2001 12:02 PM >To: 'Ronald Petrucci'; [EMAIL PROTECTED] >Cc: '[EMAIL PROTECTED]' >Subject: RE: > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > >We set up the spanning and connected the monitoring nic, I guess I was >expecting to see more traffic than I do. I was just concerned that it may >not be spanned appropriately. Now that I know it at least supports it, I >need to go back and double check the settings. > >Any tips on tweaking or checking the spanned port? > > -----Original Message----- >From: Ronald Petrucci [mailto:[EMAIL PROTECTED]] >Sent: Thursday, April 19, 2001 8:44 PM >To: [EMAIL PROTECTED] >Cc: KDouble; '[EMAIL PROTECTED]' >Subject: Re: > > > >Ray & Ken > >I have Real Secure 5.0 NT operating in a switched environment without the >Network TAP. All we did was >ensure that port spanning was enabled at the switch .... the sensor then >began >to see all traffic. >We also looked at the Shomiti Tap as a possible solution and found it to be >good >but very costly. > >Ron > > > > > >Ray Honeycutt <[EMAIL PROTECTED]> on 04/19/2001 04:57:38 AM > >Please respond to [EMAIL PROTECTED] > >To: KDouble <[EMAIL PROTECTED]> >cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> (bcc: Ronald Petrucci/FTCI) >Subject: Re: > > > > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > >I'm not sure if you received a good answer to your question, but I recall >about >a >year ago several customers indicated that they use RS in a switched >environment >with a network tap. This avoids the problems associated with port mirroring >on >a >switch. I know Shomiti (www.shomiti.com) makes the leading network tap on >the >market. We have used their taps in a number of networks for protocol >analysis >and they work great. > >KDouble wrote: > >> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message >to >> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >> >---------------------------------------------------------------------------- >> >> Does anyone have ISS Real Secure Network Sensor 5.0 working in a spanned >> switch environment? >> >> Ken > >---------------------------------------------------- >Ray Honeycutt 919.779.3055 Voice >President 919.779.3464 Fax >HCS Systems Inc. www.hcssystems.com >Suite E [EMAIL PROTECTED] >1428 Aversboro Rd. >Garner NC 27529, USA > > > > > > > > > > > >
