Where do I capture traffic?

Where you capture is important:

  • Capturing locally on  a computer connected to a switch port will let you see all traffic to/from your computer only + any broadcast traffic that gets sent down from the switch.
  • Capturing off a hub (true layer 2 device) will give you all the traffic to/from all devices connected to that hub.
    Note that many devices marked as “hubs” actually are switches – see https://wiki.wireshark.org/HubReference for more information.
  • Capturing off a wireless network follow the same principles as capturing on a hub.
  • Capture off a spanned switch port to “eavesdrop” on all traffic to/from host/hosts connected to that port.
    Remember that you will need administrative access to the switch to setup a spanned port.
    A down side to this approach is that you risk loosing traffic due to the fact that the switch will prioritize it’s core functionality of switching traffic before copying traffic over to the spanned port.
  • Capture off a network tap. Taps are specialty devices designed for the sole purpose of letting you listen in on network traffic. There are aggregating and non-aggregating taps. The latter will only let you see traffic in 1 direction at a time, so to capture a stream of traffic you would need 2 taps. Aggregating taps let you see traffic in both directions at the same time, but this comes at a price – they are in general more expensive. Taps typically have built in memory to make sure traffic gets captured even during the most busy peaks of network traffic (a regular computer will typically realize packet loss during such peaks).

2 thoughts on “Where do I capture traffic?”

Leave a Reply

Your email address will not be published. Required fields are marked *