Why Duplicate Packets May Appear on SPAN Ports
I noticed a post to snort-users today asking if Snort had a problem with duplicate packets: "We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card." I think I know why this is happening. I cover this issue in day one of my Network Security Operations course. Essentially, the admin who sets up the SPAN port has to decide if he or she wants to copy traffic in to the SPAN port, out of the SPAN port, or in and out of the SPAN port. If the decision is made to copy in and out of the SPAN port, duplicate packets will appear when intra-switch traffic is carried.