This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Win 7 Firewall rule when capturing using switch’s monitor mode?

0

Hi I want to use Wireshark to capture all packets mirrored by a switch, as described in:

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch

Supposing that the Wireshark PC has Windows 7 installed, what Firewall rule should I define to ensure that Wireshark gets all the mirrored traffic?

Would I specify the rule for Wireshark or for WinPCap?

BR David

asked 31 Jul '14, 05:45

DavidA's gravatar image

DavidA
16224
accept rate: 0%


One Answer:

1

Supposing that the Wireshark PC has Windows 7 installed, what Firewall rule should I define to ensure that Wireshark gets all the mirrored traffic?

Forget about configuring firewall rules (;-), for two reasons:

  • We have had a lot of problem reports regarding all kinds of security software (firewalls, av, vpn clients, endpoint security, etc.) that caused massive trouble while capturing packets.
  • you don't know what kind of traffic will be on the line, so you can't configure a rule other than to allow anything, which is the same as disabling the firewall.

So, the only reliable way to get correct captures is to disable the firewall while you are capturing. If you are afraid of an attack during that period of time, you can disable the IPv4 and/or IPv6 protocol binding on that interface (interface settings).

Regards
Kurt

answered 01 Aug '14, 00:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%