This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Question regarding Wireshark and port mirroring

0

I am trying to use Wireshark to analyze traffic from my Netgear Stora media server to my Xbox 360. I know (after researching here) that if the PC I have Wireshark installed on is connected to a switch, that switch must allow port mirroring.

My setup:
* Comcast Modem --> Linksys Router (e4200) --> Switch 1 (GS105) & Switch 2 (GS108) & Netgear Stora media server
* The PC with Wireshark installed is connected to Switch 1
* The Xbox is connected to Switch 2
* Netgear Stora media server is connected directly to the Linksys router

My question is, does the switch the Xbox is connected to also have to allow port mirroring for me to see traffic between the Xbox and the Netgear Stora media server via Wireshark installed on the PC or is this even possible the way they are connected?

I am going to pickup a Netgear GS105e tomorrow for the PC with Wireshark and I need to know if I also need one for the Xbox connection.

Thanks in advance for the help.

asked 26 Jun '12, 20:25

lorigar's gravatar image

lorigar
1112
accept rate: 0%

edited 29 Jun '12, 17:27

2 Answers:

3

A diagram would be better. I interpret your explanation to mean: Switch 1 is connected to a port on the Linksys router, Switch 2 is connected to another port on the Linksys router, and the Stora media server is connected to a third port on the Linksys router:

                    Linksys
                       |
     ---------------------------------
     |                 |              |
    SW1               SW2            Stora
     |                 |
 Wireshark            XBox

If that is correct, then traffic between your Stora media server and your XBox will pass through the Linksys router and Switch 2. It will not pass through Switch 1, which is where the Wireshark PC is connected. Since the traffic never reaches Switch 1, port mirroring on that switch will not help and Wireshark will not be able to capture the traffic you're interested in.

Your Wireshark PC needs to be connected to a switch that the traffic will pass through, and that switch needs to be capable of port mirroring. No, you can't really do what you want with your current setup.

If you can connect the Wireshark PC to Switch 2, where the XBox is connected, you will be able to use port mirroring to capture the traffic you're interested in. Or, you could connect either the XBox or the Stora media server or both to Switch 1.

answered 26 Jun '12, 22:14

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Jim -

Thanks so much for taking the time to answer my question. Your answer is what I was afraid of. I went and purchased a Netgear GS108e switch today which allows port mirroring. If I set it up this way, can I do what I am wanting to do:

alt text

On SW3, ports 2, 3, 4 are mirrored and port 1 is the sniffer/destination

(27 Jun '12, 17:28) lorigar

Yes, this will let you do what you want. If you're only interested in traffic between the XBox and the Stora media server, then it is only necessary to mirror Port 3 OR Port 4 to Port 1. If you mirror both ports 3 AND 4, you will see duplicate traffic in your trace file because packets between the XBox and the Stora media server pass through both ports.

(27 Jun '12, 17:49) Jim Aragon

Okay, thanks so much for the information.

That is good to know because I'm trying to learn how to analyze network performance using Wireshark and am guessing that duplicate traffic would skew the results.

Thanks again!

(27 Jun '12, 18:08) lorigar

0

Try using an inexpensive hub, which is basically a dumb switch. It is dumb because it does not segment Ethernet traffic in the way that a switch does by port. Instead, all traffic from one port is replicated to all other ports. This can be useful to act like a kind of port mirroring.

answered 01 Feb '13, 17:22

scurrier03's gravatar image

scurrier03
111
accept rate: 0%