09-16-2009 05:41 AM - edited 03-06-2019 07:44 AM
Is there any possible way of a monitored port (source port) to stop forwarding traffic because either the destination port device was offline or crashed (like Wireshark)?
I need to set up port mirroring for Snort, but I don't know how much traffic I'm going to really see. If it overloads the box that I have it on, I don't want the source to stop sending traffic for any reason.
Thanks,
John
Solved! Go to Solution.
09-16-2009 06:28 AM
Hi John,
I suppose you plan to use span on a cisco switch for that. In that scenario source span port will continue to operate normally
no matter whether span destination is up, is connected or is running. You may even set up port mirroring without any span destination it won't impact the traffic.
Roland
09-16-2009 06:28 AM
Hi John,
I suppose you plan to use span on a cisco switch for that. In that scenario source span port will continue to operate normally
no matter whether span destination is up, is connected or is running. You may even set up port mirroring without any span destination it won't impact the traffic.
Roland
09-17-2009 06:22 AM
Thanks Roland. It works good, and I had to bring the IDS down yesterday while monitoring was going on (just to test). Everything stayed up. :)
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide