Why Duplicate Packets May Appear on SPAN Ports

I noticed a post to snort-users today asking if Snort had a problem with duplicate packets:

"We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card."

I think I know why this is happening. I cover this issue in day one of my Network Security Operations course.













Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.

Comments

axnjxnind said…
So, to get around all of this could a dual-homed sensor be used to listen to two different SPAN ports, both "copy-in" and "copy-out"?
Hi jrk,

I'm not sure what you mean. The issue hinges on the sort of traffic to monitor (intra-switch or inter-switch). If you decide to see both types of traffic, you will see duplicates when intra-switch traffic occurs.
axnjxnind said…
What I was trying to get at was if you could eliminate the intra-switch traffic by listening on two different SPAN ports, one with "copy-in" and one with "copy-out"? My original post wasn't very clear.
jrk -- I think we resolved this in IRC. If anyone else has comments, please post.
Anonymous said…
Forgive my ignorance, but whenever I've setup a SPAN port on our Cisco gear I've just used the command 'set span mod/port mod/port'. How does one specify which spanning method should be used? Or, alternatively, how does one know which method the switch has chosen to use if a particular method was not specified?

Thanks!
Hello Anonymous,

Your syntax is for CatOS. Mine is for IOS. Check out the differences here.
Anonymous said…
4th slide. In a "copy-in" scenario, (assuming firewall port is also spanned) wouldnt the c-a syn-ack be seen coming into the switch from the firewall?
I should have mentioned this scenario does not involve spanning the uplink to the firewall.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics