Ask Your Question
0

Unexplained data usage > Wireshark > Ethernet / NIC config >

asked 2022-06-12 17:23:38 +0000

Hi there.

I was hoping that you could help me with a couple of issues that I'm trying to get resolved.

Background: I'm helping out a friend who has a pretty complex home network set-up

Basic network overview:

Enterprise wireless modem/router (using a SIM card and mobile network, for network access) > Swich 1 > Switch 2 Switch 3 Swtich 4

Switch / network 2 = security cameras Switch / network 3 = office / work PCs Switch / network 4 = guest Wi-Fi

Issue: They are experiencing very large and (unexplained) spikes in data usage We are trying to establish what is causing this.

We have done a variety of testing and the issue is definitely being caused from something within this internal network infrastructure.

They have a spare PC which they are going to install Wireshark onto (it currently only has x1 NIC card, and Ethernet port)

This PC is going to be connected directly between the modem/router and the 1st Switch on the network (to capture as much traffic and throughput as possible).

Enterprise modem/router > Spare PC with wireshark > Switch 1 > Rest of network

Questions:

  1. Do we need a 2nd NIC card installed into the PC, to feed out from the PC back into the 1st Switch, so that we can capture all of the traffic on the network ?

  2. Or could we instead, use an Ethernet splitter with the original NIC card to give us 2 Ethernet ports, and use one of them to connect back into the 1st switch. Again - to capture all of the network traffic ?

  3. Is there anything else that I'm missing to be able to achieve this ?

TIA for any help or advice !

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-06-12 18:30:29 +0000

grahamb gravatar image

This is capturing on a switched network and is covered in the wiki page Ethernet Capture - Switched Ethernet where a variety of solutions are offered.

If Switch 1 provides mirroring or spanning capability that would suffice as the Switch + Monitor Port, as long as the combined mirrored traffic doesn't exceed the capacity of the single port you mirror to. All protocols should be unbound from the monitoring PC to prevent inadvertent traffic generation.

If you have two NIC's in the monitoring PC, the Man-in-the-middle approach can be used.

Finally, if you have the budget an Ethernet TAP can be used. This is often the most accurate method but also the most costly.

edit flag offensive delete link more

Comments

This is a fantastic answer, and a massive help. Thank you very much

Noob-Tech-Ninja gravatar imageNoob-Tech-Ninja ( 2022-06-13 21:44:33 +0000 )edit

If the answer has resolved your query, please "accept" it to help others know it's helpful by clicking the checkmark icon to the left of it.

grahamb gravatar imagegrahamb ( 2022-06-15 05:37:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-06-12 17:23:38 +0000

Seen: 30 times

Last updated: Jun 12