tag:blogger.com,1999:blog-4088979.post113337357666839131..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Why Duplicate Packets May Appear on SPAN PortsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-1134432574483811462005-12-12T19:09:00.000-05:002005-12-12T19:09:00.000-05:00I should have mentioned this scenario does not inv...I should have mentioned this scenario does not involve spanning the uplink to the firewall.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134427615171836412005-12-12T17:46:00.000-05:002005-12-12T17:46:00.000-05:004th slide. In a "copy-in" scenario, (assuming fir...4th slide. In a "copy-in" scenario, (assuming firewall port is also spanned) wouldnt the c-a syn-ack be seen coming into the switch from the firewall?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133409436678425092005-11-30T22:57:00.000-05:002005-11-30T22:57:00.000-05:00Hello Anonymous,Your syntax is for CatOS. Mine is...Hello Anonymous,<BR/><BR/>Your syntax is for CatOS. Mine is for IOS. Check out the differences <A HREF="http://www.cisco.com/warp/public/473/41.html" REL="nofollow">here</A>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133408499492817032005-11-30T22:41:00.000-05:002005-11-30T22:41:00.000-05:00Forgive my ignorance, but whenever I've setup a SP...Forgive my ignorance, but whenever I've setup a SPAN port on our Cisco gear I've just used the command 'set span mod/port mod/port'. How does one specify which spanning method should be used? Or, alternatively, how does one know which method the switch has chosen to use if a particular method was not specified?<BR/><BR/>Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133387612768835932005-11-30T16:53:00.000-05:002005-11-30T16:53:00.000-05:00jrk -- I think we resolved this in IRC. If anyone...jrk -- I think we resolved this in IRC. If anyone else has comments, please post.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133387136091402412005-11-30T16:45:00.000-05:002005-11-30T16:45:00.000-05:00What I was trying to get at was if you could elimi...What I was trying to get at was if you could eliminate the intra-switch traffic by listening on two different SPAN ports, one with "copy-in" and one with "copy-out"? My original post wasn't very clear.axnjxnindhttps://www.blogger.com/profile/11586626793275066085noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133380100984292792005-11-30T14:48:00.000-05:002005-11-30T14:48:00.000-05:00Hi jrk,I'm not sure what you mean. The issue hing...Hi jrk,<BR/><BR/>I'm not sure what you mean. The issue hinges on the sort of traffic to monitor (intra-switch or inter-switch). If you decide to see both types of traffic, you will see duplicates when intra-switch traffic occurs.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133376314526138032005-11-30T13:45:00.000-05:002005-11-30T13:45:00.000-05:00So, to get around all of this could a dual-homed s...So, to get around all of this could a dual-homed sensor be used to listen to two different SPAN ports, both "copy-in" and "copy-out"?axnjxnindhttps://www.blogger.com/profile/11586626793275066085noreply@blogger.com