This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Sniffing Multiple Switches

0

I have a client who has a network that has a FIOS router that uplinks into their main switch. this main switch has two other switches plugged into it that are in different parts of the office. Each of the remote switches have anywhere from 6 to 8 users plugged into each and the main one has about 10 connections plugged into it plus the 2 other switches. i know i need a hub to be able to sniff the traffic on the switches. i was planning on connecting the fios to the switchable uplink port on the hub and use a crossover cable to hook the main switch (with the other 2 switches plugged into it) to the hub also, then connect my laptop to the same hub. My question is would the laptop be able to sniff the traffic from all the switches in that configuration. it would be very difficult to run crossover cable to each of the 2 remote switches and i am hoping that i wont need to.

please inform me as i am not sure as i never had to sniff more than one switch before....

thank you

andy

asked 23 Jun '14, 06:04

medusanyc's gravatar image

medusanyc
11112
accept rate: 0%


One Answer:

0

Are you just looking at the office traffic via the FIOS router, or also internal traffic? If the first then any decent switch should be able to give you a monitor port to look at that traffic. Or get a small one and stick that in between the FIOS router and the main switch.

answered 23 Jun '14, 12:34

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

i want to monitor the traffic of the workstations across the network. i dont have a monitor port on my switches nor do i have a managed switch.

will i be able to use a hub on my network to sniff the traffic across all the switches,i am more interested in the traffic across the internal network than the traffic to the internet

(23 Jun '14, 18:43) medusanyc

What does a switch do? It tries to get the frames to the right destination. So, two machines on a remote switch exchanging frames will have their frames confined to that switch. That means that you'll end up exchanging every switch with a hub to get all traffic on the core hub, which you want to monitor. This will do no good for your network performance, going from full duplex to half duplex and all traffic flushing out of every network port.

Wanting to see all traffic on a network leads me to believe that you've no idea where to look for the thing you're looking for. I would suggest working different angles to the problem and see if you can narrow down the amount of traffic you need to analyze.

(24 Jun '14, 00:17) Jaap ♦

i found there are crossover adapters. if i connect each switch to the hub independantly then connect my laptop to the hub would that allow me to see the traffic on all three switches?

(24 Jun '14, 04:28) medusanyc

@medusanyc Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

I think you're still missing the point. If two machines are connected to the same switch, traffic between the two will never leave the switch (and will be confined to their respective switch ports apart from broadcast traffic) and you'll never see it with you hub connected to the switch.

That's how a switch works, hence the need for managed switches that can span or mirror a port to another port so you can capture the traffic internal to the switch.

You could insert the hub between the switch and a machine of interest, but then you'll still only be able to monitor one machine at a time and will need to move the hub to monitor another machine.

(24 Jun '14, 04:50) grahamb ♦

i think i got it now. i should plug our server into the hub along with the switch that all the traffic goes through, then plug my laptop into the hub and i should be able to monitor all the traffice between the workstations and the servers.

we have 2 servers can i plug both into the hub and monitor traffic from both?

(26 Jun '14, 07:07) medusanyc