This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Port Mirroring and Wireshark

0

Hello. I'm trying to capture the traffic one one port and mirror that traffic to the other. I'm using an HP ProCurve 2810-24G switch, I've set up the Port Monitoring option through the web configuration. Now for the WireShark, it looks as though it's only showing the traffic on the PC running wireshark, as opposed to showing me the mirrored traffic on the PC being monitored.

Is there some sort of adjustment that has to be made on WireShark to output only the traffic from the monitored port?

asked 03 Oct '12, 08:31

InfusionDev20's gravatar image

InfusionDev20
6224
accept rate: 0%

alt text

(04 Oct '12, 11:47) InfusionDev20

Wireshark at the monitor port should show all Unicast packets coming from and going to the PC monitored, plus Broadcast/Multicast.

If you see Unicast packets that are neither from or to the monitored PC you have a problem, most likely a switch flodding frames to all ports. This can happen if the destination MAC is unknown and the switch hopes to find it by pushing all frames out on all ports, which should not happen more than once every once in a while for each MAC.

(04 Oct '12, 13:23) Jasper ♦♦

I'll have to double check the MAC destination but it is very possible that it is the Broadcast/Multicast traffic that I'm seeing.

(05 Oct '12, 12:24) InfusionDev20

Hey Jasper thanks again for your help! I am seeing a lot of Broadcast/Multicast traffic but I was able to filter through it to figure out what we were looking for.

(09 Oct '12, 12:59) InfusionDev20

Great to hear that. If you like you can accept my answer with the checkmark button next to it ;-)

(09 Oct '12, 13:37) Jasper ♦♦

One Answer:

1

Normally it should just work if you set the mirror port correctly (which I usually double check, especially if the results are strange like yours) - maybe you've got source and destination ports mixed up. If the mirror session is correct, Wireshark will capture anything that the network card receives unless:

  1. you have disabled promiscuous mode on the capture card, which would mean that the card will only accept frames that contain the card's MAC address (or are Broadcast/Multicast) - there is a checkbox in the capture settings of each card that should be checkmarked by default

  2. You are mirroring a trunk including VLAN tags and the capture card of your Wireshark PC doesn't like them. Maybe you can try to capture with a different network card and see if it sees anything

By the way, I'd usually disable all protocols on the capture card to avoid the card sending and receiving any traffic for itself - in Windows you can just uncheck all protocols on the card properties dialog.

answered 03 Oct '12, 08:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hey Jasper,

Appreciate the lengthy response. If I disable all protocols on the capture card, then any traffic that would appear in WireShark should ONLY be from the PC being monitored correct?

(03 Oct '12, 08:59) InfusionDev20

Wireshark will show only packets coming in, which can't be from or for the local system since it's been muted. So yes, if the monitor session is setup correctly, you should see ONLY the packets from the PC being monitored (or any device that is mirrored to the output port where Wireshark sits).

(03 Oct '12, 09:03) Jasper ♦♦

Ok great. That will help in narrowing it down to just the monitored machine. Now for disabling the protocols, is it under the properties of the LAN connection adapter?

(03 Oct '12, 09:37) InfusionDev20

This is how it looks for my capture card:

http://www.bongertz.com/images/capturecard.png

(03 Oct '12, 09:52) Jasper ♦♦

Ok great, just wanted to make sure I was in the right spot. I will have to give this a try with all the protocols disabled and see what the results are.

(03 Oct '12, 10:06) InfusionDev20

Hey do you happen to know if there's anyway in WireShark to see where the traffic is coming from exactly? So to see if it's coming from the PC being monitored? I would assume it would be the source IP address?

(03 Oct '12, 11:47) InfusionDev20

Looking at source IP/MAC is one thing, but the one thing giving it away is usually that the monitored system is by far the most active node in the capture. Since you're monitoring it's traffic you should basically see that ALL unicast traffic is going to or coming from it's address.

(03 Oct '12, 12:45) Jasper ♦♦

Well the problem I have now is that I'm seeing all of the traffic on the network from a ton of different PC's throughout the office. I have this particular switch off to the side with the PC being monitored, and the PC that it is being mirrored to both connected to ports on this switch. I also have another cable running into the switch from the office that is giving it a connection on our subnet. It's running from one switch to the other, and I think that is what is causing me to see all of this other traffic on the network as it's running through the other switch, if that makes sense...

(03 Oct '12, 13:02) InfusionDev20

this is a little difficult to understand, so normally I would ask ask a client for a network diagram by now... :-) If you can do a quick diagram it would help to understand what your setup is like.

(03 Oct '12, 15:31) Jasper ♦♦

Added an image of how things are set up. Hopefully you can see and understand it.

(04 Oct '12, 11:47) InfusionDev20
showing 5 of 10 show 5 more comments