 | 1 | initial version |
I read that the ethernet port would be automatically disabled to traffic and put into promiscuous mode for listening purposes in the instructions.
If by that you're referring to
Ethernet Adapter mode: The SharkTap can also be used as a network adapter. Both NETWORK ports must be left unconnected in this mode. Functionally, the only difference in this mode is that the SharkTap will route packets from the USB Host. In TAP mode, the SharkTap will only send packets to the USB Host.
that appears to refer to plugging a Sharktap USB into a USB port on the host, rather than into an Ethernet port as you said you did. For plugging the tap into a Ethernet port on the host running Wireshark (or any other sniffer), the Sharktap instructions say:
Wired TAP mode: If you plug a cable into the ‘Wired TAP’ port (and the SharkTap establishes a link), the Wired TAP port will become the mirroring port. In this mode a USB host is not needed – the USB port only requires power.
which says nothing about whether packets sent to the Sharktap over that Ethernet cable will get sent out on either of the network ports.
For connecting the tap to a sniffing host over USB rather than Ethernet, the Sharktap instructions refer the reader to "The midbittech.com/usb website"; that site says, in the first paragraph:
One of the advantages of the USB SharkTap is that you can have virtual Ethernet port dedicated to network sniffing, rather than reconfiguring a port sometimes used for other purposes. The following two setting are not absolutely necessary, but are recommended. The first setting minimizes the number of packets your PC will attempt to transmit over the virtual port. The SharkTap will not route any packets sent from your PC to the Network ports, but Wireshark will still show these packets, which can clutter up a capture. The second setting enables jumbo packets, which is necessary if you are sniffing a link with jumbo packets. The 3rd setting shows how to avoid having VLAN tags stripped, so you can see them in Wireshark.
and then gives configuring instructions for the USB Ethernet adapter that should show up when you plug the Sharktap USB into the host over USB. Those instructions arrange to make sure that the USB Ethernet adapter in question doesn't do networking but is available as a capture device.
if Wireshark can't shut up the ethernet port
Wireshark currently does not include any code to disable network traffic on network ports on which it captures. I suspect many users would be very upset if Wireshark automatically shut off networking on any port on which it's capturing, especially if the user's trying to capture actively - i.e., capturing the traffic on the machine running Wireshark - rather than passively.
Note, by the way, that Wireshark itself may use various networking protocols; for example, it may use DNS to determine the host names corresponding to IP addresses in network traffic.
If a Sharktap sends out, on either network port, any packets sent to the Wired Tap port, that sounds like either a bug or a misfeature of the Sharktap device. That port appears to be intended for passive monitoring.
If a bug/misfeature such as that on the Sharktap is the problem, then, as Sake (SYN-bit) noted, you will have to shut off networking on the laptop's Ethernet port yourself.
And, if that's the problem, attaching the Sharktap USB to your Wireshark laptop over USB rather than over an Ethernet cable to the Wired Tap port on the Sharktap would work better if you want to passively tap and not have the Wireshark host send any packets.
