Considerations for running Wireshark through a core switch

asked 2019-08-28 01:51:23 +0000

mkelley_25 gravatar image

I have a customer who has a remote office that is connected to their main office. The main office provides the Internet connection for that remote office. I have a call with the customer tomorrow to get more details (is the connection setup over VPN, what kind of router/switches they have, are they using NAT?, etc.), but over the next week, the customer would like me to connect a laptop with Wireshark to the core switch at the main office to attempt to capture traffic from one computer at the remote office to the Internet.

Do any of you have thoughts or recommendations on things I should take into consideration? I'm thinking I simply need to setup port spanning on the core switch port that is used as the uplink to the remote site, sending traffic to the port I've plugged my laptop into AND setup a capture filter to ONLY capture data on that port that is coming from that one computer on the remote network. Am I missing anything? Thank you.

answered 2019-08-28 02:41:07 +0000


When I capture with my laptop using a SPAN port, I try to filter as much traffic as possible before it even hits the Wireshark capture filter. This is because laptops are poor capture devices when there is "too much traffic."

You should try filtering with ACL if possible or at least with a combination of interfaces and VLAN if not.

"Too much" will depend on your traffic profile but basically I never capture over 10Mbps with my laptop and then again only for a short period.

I suggest you read this 2016 excellent blog post from PacketFoo.

You may also look at this YouTube video and this 2014 white paper for info.

(To be clear none of these resources are my own work.)

Good hunting.



Thank you for this information. I'll mark it as the answer

mkelley_25 gravatar imagemkelley_25 ( 2019-08-28 13:03:48 +0000 )edit

Asked: 2019-08-28 01:51:23 +0000

Last updated: Aug 28 '19