HW to get you started…

Before you go out and buy some really expensive network taps, I suggest you look into buying one of these NetGear GS105 switches and play around with capturing traffic in a smaller scale:

The unit is “only” 500Mbps when used in mirroring mode and will not be as good as a dedicated tap, but will be more than enough for capturing lower bandwidth traffic for learning purposes. Mine has been ordered, and I can’t wait to use it for IPv6 Multicast traffic analysis :-)

 

PS! Remember to filter out all traffic to/from your network analyzer’s NIC. If not, you will be seing all the mirrored traffic you want to see + all traffic generated by the PC running Wireshark.

 

20160210 Update:
Got the device and set it up to mirror port #5 to port #2.
Works like a charm – the only thing you need to remember is that the destination port (in my case port #2) will still work as a switched port on its own. This means you will be able to surf the web on your mirrored/spanned port at the same time that packets are being copied over from the source port (port #5 in my case).
To only capture traffic to/from the device connected to your source port, use this capture filter in Wireshark:
ether host 01:02:ae:02:bf:ef ( the latter being the MAC address of the device connected to the source port)

Leave a Reply

Your email address will not be published. Required fields are marked *