I have my PC connected to a CISCO switch port with the port in SPAN - However I see some traffic initiated by the PC. these appear to be broadcasts of Netbios name resolutions I tried changing the binding on the port and removed all protocols - that shuts the port down and I can not use it for capture. I happen to have Airmagnet software installed on this PC and binding it just to that does appear to work. asked 13 Sep '16, 15:37 rjwilson01 edited 13 Sep '16, 18:56 Guy Harris ♦♦ |
2 Answers:
In the adapter settings, uncheck IPv4 and IPv6. This will disable the stacks and prevent TX on the adapter. answered 14 Sep '16, 17:32 Rooster_50 |
Thnaks - after a lot of fiddling - What I am seeing appears to be a feature of Cisco's Anyconnect VPN software With the Cisco software installed If I un-link all protocols - the adapter gets disabled and Wire-shark cannot use it On a very similar machine (same base build image ) but without the Cisco's any-connect added what you described works and I can unlink all protocols and the card does not get disabled. answered 08 Oct '16, 22:54 rjwilson01 |
I operate in this manner all the time with my WindowsXP, Windows7, and Windows8.1 OSs. I deselect all the bindings and then can only receive traffic, which it does. I recommend this to my colleagues when they have a dedicated wired sniffing adapter. This works with Linux as well if I zero out the IP address.
Except for the (hopefully) minor inconvenience of having to discard that traffic once capture is there any other problem? Cisco SPAN, by default, does not pass ingress traffic on a span port destination so I would think it would not be affecting the network proper due to it's presence.
Default Config: Ingress forwarding (destination port) Disabled
What OS are you on?
I see you are on Windows7 - didn't read the title. I know our corporate policy is that when a wired link is available WiFi turns off. This isn't the same thing as that is controlled by the BIOS in the Dell's we use but could there be some group policy or something blocking the traffic? Or maybe anti-virus/firewall?