How does one use network monitoring tools with Ethernet switches instead of hubs. I am trying to use tools like tcpdump and snort. If WorkStation A is your monitoring station then it won't pick up traffic between WS B and WS C. It can pick up broadcasts and communications with WS A. So how do you monitor a switched environment?
Many switches have the option to allow port span. What is port span? The Switched Port Analyzer Feature (SPAN) feature was introduced because, as you stated, once a switch learns a MAC address is on a particular port traffic is forwarded directly to that individual port. This is unlike a hub where all the ports see all the traffic.
I would suggest checking out the documentation for your make and model of switches to learn more about its implememtation.
Dig Deeper on Network management and monitoring
Related Q&A from Michael Gregg
Enterprise security expert, Michael Gregg answers a question regarding port 3389 issues when a user tries to open port 3389 RDP on their router to ... Continue Reading
Security expert Michael Gregg discusses the disadvantages to a layered approach to enterprise security. Continue Reading
Security expert Michael Gregg fields a question about unknown network cards gaining access to a user's network. Continue Reading