Some network administrators dont know how to handle and correctly install network monitoring applications, IDS and other products who requires network traffic inspection, there is no knowledgment about how span port where designed and it limitations for full-duplex networks.
When the network are in full-duplex mode, the span port have a natural loss of packets that not vary across the hardware.
Just imagine that the switch have only 3 ports and its a 100mbps switch, port 1 its a uplink, connected to main router, port 2 its connected to a common computer, and port 3 are the span port.
If you connect a monitoring service like snort IDS in the span port, this will receive a channel of RX 100mbps with a mirror of the port 1 and 2.
How true its?
Suppose that you only want to capture the port 1 (Uplink), where will see an TX of 100Mbps and RX of 100Mbps. In such case, if the upload uses 51mbps and download 51mbps simultaneously, (101Mbps), then, this data must be sent by TX channel of 100Mbps corresponding to SPAN port.
In the worse case, where the consumption of TX/RX are 100%, we will have a 200mbps being sent by 100mbps TX channel on the span port, this is because the RX channel of the span port are disabled and cant be used to carry any data from the switch to the monitoring computer/device.
Commonly what does actually an advanced device with span port?
- Buffering until it fills (Happen in a short time)
- Drop/Discard packets, that makes useless libnids and other deep tcp packet reconstruction systems receiving this packets
What can i do to monitor my network succesfully?
There is many solutions to do that:
- Using a bridge between the switch and the uplink (to monitor the uplink traffic), who will pass any packet transparently without network design modification. You can configure a linux bridge with two network cards using brctl (Install bridge-utils). Inside the bridge you can use snort as IDS to monitor.
- Using a bonding+network tap. A networki tap are like span port, however, uses multiple cables to send the TX and RX of the uplink, therefore, you can mix this on an interface “bonding”,
- Using a half-duplex or hub. You can configure this uplink port in half-duplex mode (Many admins hate this option because can downgrade the uplink more than 50%), and the hub can act link a network tap, but really its a live emulation of a half-duplex that can be configured on a switch.
- Using a high bandwidth port as SPAN port, this port must have the double of bandwidth of monitored port(s).
Conclusion: is not a good idea realize packet mirroring via span port without knowing the risks and knowing that there is a low effectivity monitoring tcp connections over span ports. Many network admins dont see this reality because commonly there is not a advanced study of efficience (Packets sents by network and packets received and reconstructed), in case that admin see any register on their IDS when the network where stable, or by random situation, the admin think that this system works perfectly, when not.