I can't get my head around the way the data is presented on the mirror port. Do I need a second network card? How does Wireshark present the data? As you can see, I don't even know the right questions to ask! Thanks
Switch can be configured to mirror ingress, egress, or both directions. Copying traffic for both directions to a single port can be a problem when the mirrored traffic is greater than the monitoring port interface speed. The monitoring port is the port where the engineer wants to send a copy of traffic to. Basically, the monitoring port interface has to large enough to support the traffic from the mirrored-port(s).
An example is mirroring port 1 (1G) to port 5 (1G). The maximum bandwidth needed is 2G because there is 1G ingress and 1G egress of traffic. This exceeds the port 5, 1G port speed, and the switch will drop some of the packets.
Another issue are microbursts.
Capturing with two network cards will work if the network cards can capture at port speed. There is an article in NetworkDataPedia by Tony Fortunato with a detail explanation.
Capturing with one or two network cards, the traffic is displayed the same. When you merge files, there isn't any way to tell what hardware was used to capture the packet because the PCAP packet header doesn't have a field to identify the capturing hardware. Most of the time this isn't an issue.
Sniffers have proprietary file format that can identify the port used to capture the packets.
I just found the Wiki page covering this ( https://wiki.wireshark.org/CaptureSet... ). I'm still unclear on a couple of things, but I'll start experimenting.
Apologies for the noise.
As noted at the top of the page, that's the old, un-maintained site. The maintained site is at Ethernet Capture.
Comments