Port Mirroring - Wireshark

Magic Johnson

Anyone ever done this? If so can you explain how you did it? I think it's done using netflow, but I can't seem to find any concrete how to on it.

jem7sk

I've done it on a Dell Switch. It is part of the port properties you can change.

Jon_Cisco

try this link I didn't read it all but it looks like what your interested in. I think I played with span in my home lab last year but I might have just been reading about it. I don't actually recall which.

Catalyst Switched Port Analyzer (SPAN) Configuration Example - Cisco

Staunchy

I have done it on HP, on cisco you create a SPAN port. You specify a source VLAN or port and destination port but the config is a bit different depending on switch you want to do it.

Catalyst Switched Port Analyzer (SPAN) Configuration Example - Cisco

broli720

You're basically directing all traffic to a source port or vlan. The destination port can either be either be on the local switch or another switch on your network. A few things to note before we get into configuration:

-when you implement the destination port, you are overwriting it's current configuration
-pvlans and port security are also not supported on the destination port

For a basic configuration, you basically state which two ports will communicate the monitored traffic.
-monitor session 1 source "interface blah"
-monitor session 1 destination "interface blah"

I work a lot with control systems and generally use this or a raspberry Pi just to maintain situational awareness of my environment. It does get more in depth, but this is just the basics.

Hope this helps!

Magic Johnson

So I could do

test#(config)monitor session 1 source interface fe0 < LAN unmanaged switch uplinktest#(config)monitor session 1 destination interface dialer1 < PPPoE int for DSL

This means I am monitoring traffic coming from my LAN out in to the WAN?

How do I get the capture in to Wireshark?

Staunchy

I might be wrong but destination would be where you sending the mirrored traffic.

So what you would generally do is span a specific VLAN or port to another port to which you have a server or pc connected running wireshark capturing the traffic to be analyzed.

--chris--

Nothing to add to the discussion, just tagging this for my use later Cool stuff.

broli720

Staunchy wrote: »

I might be wrong but destination would be where you sending the mirrored traffic.

So what you would generally do is span a specific VLAN or port to another port to which you have a server or pc connected running wireshark capturing the traffic to be analyzed.

Yep, you're correct. A sniffer or some sort device will have to be configured on the destination side to receive the traffic.

tstrip007

Here are the notes I have for setting up a port mirroring session on a dell powerconnect switch
Login into the switch
Switching > Traffic Mirroring > Port Mirroring
Add > Add Source port/s (port you want to monitor) (you can monitor up to 4 ports)
Apply changes
Go back to port mirroring page and set the destination port
Set admin mode to "Enable" to start mirroring
Run wireshark to capture traffic.

---

Destination port will be the pc that has wireshark on it
Source will be the port you want to monitor

Magic Johnson

Is the traffic capture bidirectional then?

monitor session 1 source interface dialer1 < DSL port

monitor session 1 destination interface fe3 < port my laptop is connected to

Run wireshark on my laptop and hey we have a mirror of all traffic sent to and recieved from the dialer interface?

broli720

Not sure if I understand your question. Source ports are the one you want to monitor, destination port is where the info is delivered to...

lsud00d

broli720 wrote: »

I work a lot with control systems and generally use this or a raspberry Pi just to maintain situational awareness of my environment.

Curious, (if you're mirroring to something like Wireshark) do you use any capture/display filters or just pcap it all? What are the parameters for logs, including length of time kept, rollover period, etc?

I'll be doing this soon to assist in a federal investigation and haven't decided how I want to configure the pcap side of things.

Magic Johnson

broli720 wrote: »

Not sure if I understand your question. Source ports are the one you want to monitor, destination port is where the info is delivered to...

Does it capture inbound and outbound traffic? Or do you have to add a ingress or egress or something in?

lsud00d

I think you're still stuck on the netflow side of things.

Wireshark simply captures packets, which includes both inbound and outbound directions.

Dieg0M

For Cisco by default it will capture on the source session both receving and outgoing traffic. If you wanna configure it to just to capture receiving traffic it is monitor session 1 source interface <x/x> rx (monitors received traffic only) or for outgoing traffic monitor session 1 source interface <x/x> tx

**Also if you dont have a wireshark or sniffing server directly connected to that switch, I would highly suggest using ERSPAN or EPC. Here's a good tutorial for ERSPAN ERSPAN

Magic Johnson

Guys, you're all legends. Thanks for this. I was asked for a wireshark trace using port mirroring by a third party company with a product behind our connectivity and I was a bit embarrassed I didn't know how to achieve this!

--chris--

Forget about being embarrassed. You cant learn something until you run through at least once. Now you know. I learn "obvious" things almost everyday.