This is a static archive of our old Q&A Site. Please post any new questions and answers at

Name resolution question when mirroring ports on a switch…



I am relatively new to Wireshark. I am monitoring my home network traffic by mirroring a port on my GS116E sent to a second NIC on one of my PCs. I have my router (WRT54GL) set up to tee POSTROUTED traffic to this monitor NIC as well. This is working well and I see all the wired, wireless, and WAN traffic.

The question I have is about the mirrored packets often showing up as TCP Retransmissions (in red on black) with the destination decoded as the original destination rather than the monitor NIC destination. The original packet shows matching destination IP and MAC addresses. The teed packet shows the original IP destination and the monitor NIC's MAC address. The content of both packets is otherwise identical. So the data is being sent twice and to the correct MACs, but being displayed in a way I would not have expected.

Here is how I mirror at the router which creates the extra LAN traffic sent to the monitor NIC: iptables -A POSTROUTING -t mangle -j ROUTE --gw --tee

screen copy of an example

asked 19 Jan '12, 17:08

KK1L's gravatar image

accept rate: 0%

edited 19 Jan '12, 20:05

One Answer:


I'm not a iptables specialist, but I think what you're doing is to have the router mangle all packets to be sent to an additional destination, which is your Wireshark NIC. So what you have there is not the same as a "normal" SPAN port, but some sort of packet manipulation/duplication process that will also change the MAC address of the destination in order to be able to deliver it at all.

Usually, a SPAN/Mirror/Monitor/Roving port (or whatever the vendor calls it) is a layer two copy process that simply copies the frame to the port where the analyzer is connected to, without modifying it at all. Your solution is sort of a higher layer workaround, which has the side effects of modifying the MAC address, if I am not mistaken.

answered 20 Jan '12, 03:56

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Thanks for the reply Jasper. You are right about the iptables action. Wireshark must be looking at the IPV4 rather than EthernetII. I have to assume that is the correct place for it to look because I am just getting my feet wet in this level of network decoding.

(20 Jan '12, 19:51) KK1L