Re: [m0n0wall] Re: A few modification to m0n0, anyone interested?

From:	edward mzj <edward dot mzj at gmail dot com>
To:	"Robo.K." <mono at inmail dot sk>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Re: A few modification to m0n0, anyone interested?
Date:	Sat, 27 Aug 2005 23:09:55 +0800

span means Switch Port ANalyzer, a packet monitoring feature available
in most manageable switches, cisco's catalysts for example. when a
switch port is designated as a span port, all incoming or outgoing
traffic of one or all other switch ports are duplicated and sent out
the span port. this makes it possible for packet sniffering and
intrustion detection in a switched enviroment.

unlike a real span port, which can monitor all layer 2 packets, no
mater what the upper layer protocols are, ipfilter, the core
firewalling component in m0n0, runs in layer 3 and above, and can only
recognize ip traffic. so it's not possible to monitor ipx, appletalk
and other traffic. however, ipfilter is more intelligent than a
switch. it can send only those packets you interested, say http
sessions, to your sniffer or ids. this is very useful if your sniffer
or ids runs on a not so powerful platform and can save you a lot of
time when you analyzing those packets or logs

2005/8/27, Robo.K. <mono at inmail dot sk>:
> Hi Ed, sorry but,  What is SPAN? Can you send description picture?
> Thanx.
> Bob.