First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Considerations for running Wireshark through a core switch

  • retag add tags

I have a customer who has a remote office that is connected to their main office. The main office provides the Internet connection for that remote office. I have a call with the customer tomorrow to get more details (is the connection setup over VPN, what kind of router/switches they have, are they using NAT?, etc.), but over the next week, the customer would like me to connect a laptop with Wireshark to the core switch at the main office to attempt to capture traffic from one computer at the remote office to the Internet.

Do any of you have thoughts or recommendations on things I should take into consideration? I'm thinking I simply need to setup port spanning on the core switch port that is used as the uplink to the remote site, sending traffic to the port I've plugged my laptop into AND setup a capture filter to ONLY capture data on that port that is coming from that one computer on the remote network. Am I missing anything? Thank you.

mkelley_25's avatar
5
mkelley_25
asked 2019-08-28 01:51:23 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Hi,

When I capture with my laptop using a SPAN port, I try to filter as much traffic as possible before it even hits the Wireshark capture filter. This is because laptops are poor capture devices when there is "too much traffic."

You should try filtering with ACL if possible or at least with a combination of interfaces and VLAN if not.

"Too much" will depend on your traffic profile but basically I never capture over 10Mbps with my laptop and then again only for a short period.

I suggest you read this 2016 excellent blog post from PacketFoo.

You may also look at this YouTube video and this 2014 white paper for info.

(To be clear none of these resources are my own work.)

Good hunting.

Cheers,

JF

Spooky's avatar
191
Spooky
answered 2019-08-28 02:41:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for this information. I'll mark it as the answer

mkelley_25's avatar mkelley_25 (2019-08-28 13:03:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer