Wednesday, November 30, 2005

Why Duplicate Packets May Appear on SPAN Ports

I noticed a post to snort-users today asking if Snort had a problem with duplicate packets:

"We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card."

I think I know why this is happening. I cover this issue in day one of my Network Security Operations course.













Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.

8 comments:

jrk said...

So, to get around all of this could a dual-homed sensor be used to listen to two different SPAN ports, both "copy-in" and "copy-out"?

Richard Bejtlich said...

Hi jrk,

I'm not sure what you mean. The issue hinges on the sort of traffic to monitor (intra-switch or inter-switch). If you decide to see both types of traffic, you will see duplicates when intra-switch traffic occurs.

jrk said...

What I was trying to get at was if you could eliminate the intra-switch traffic by listening on two different SPAN ports, one with "copy-in" and one with "copy-out"? My original post wasn't very clear.

Richard Bejtlich said...

jrk -- I think we resolved this in IRC. If anyone else has comments, please post.

Anonymous said...

Forgive my ignorance, but whenever I've setup a SPAN port on our Cisco gear I've just used the command 'set span mod/port mod/port'. How does one specify which spanning method should be used? Or, alternatively, how does one know which method the switch has chosen to use if a particular method was not specified?

Thanks!

Richard Bejtlich said...

Hello Anonymous,

Your syntax is for CatOS. Mine is for IOS. Check out the differences here.

Anonymous said...

4th slide. In a "copy-in" scenario, (assuming firewall port is also spanned) wouldnt the c-a syn-ack be seen coming into the switch from the firewall?

Richard Bejtlich said...

I should have mentioned this scenario does not involve spanning the uplink to the firewall.