Wireshark mailing list archives
Re: hidden packets
From: Giles Coochey <giles () coochey net>
Date: Mon, 19 Aug 2019 16:47:31 +0100
On 19/08/2019 16:34, Giles Coochey wrote:
Forgot to mention, outside Cisco the feature is called "port mirroring", and even some low-end TP-Link devices support this: https://www.amazon.co.uk/TP-Link-TL-SG105E-Desktop-Easy-Smart-Ethernet/dp/B00N0OHEMA/ref=asc_df_B00N0OHEMA/?tag=googshopuk-21&linkCode=df0&hvadid=310754948045&hvpos=1o2&hvnetw=g&hvrand=13136108276810328918&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=1006978&hvtargid=pla-343408315892&psc=1&th=1&psc=1On 19/08/2019 15:57, Richard Perlman wrote:Got it. Makes sense. While my APs are in “bridge” mode, I do have switches deployed in several locations, notably between the Mac I am running Wireshark on and the rest of the network. I am not exactly sure how, or with the equipment I have - if, I can set up a span session. All the information on doing that seems to assume Cisco gear. My network is fairly simple and consists of Wi-Fi access points (mostly aging Apple Airports), Ethernet switches and a gateway router provided by my ISP (Free.fr <http://free.fr/> in France).There are other ways of doing that - but it will involve some extra equipment:In any case, I at least know why I don’t see the traffic.1. A Small SoC computer can be set up as a router, potentially capable of running tcpdump to take the packet captures. 2. A physical TAP on a port can make a copy of the traffic and you can connect your kit running Wireshark to that. 3. Even a second hand Cisco switch can be purchased on eBay pretty cheaply.The SoC computer might be the cheapest option, I'm thinking Raspberry Pi - this has wifi and a gigabit port, so could temporarily replace your AP, and the Debian Based Raspbian software can run wireshark, or you can run tcpdump and then export the pcap to view in wireshark.Second cheapest, although probably close in price would be a used Cisco switch, anything in the Catalyst range would have the span session capability: https://www.ebay.co.uk/itm/CISCO-CATALYST-3560-SERIES-PoE-24-WS-C3560-24PS-24-PORT-PoE-SWITCH-FREE-DEL/272243680614?epid=1017614211&hash=item3f62fce566:g:~2cAAOSwMwxbVg8k - this is probably technically easier than the SoC option, but does require some Cisco know-how.The TAP option is probably the most expensive for an industrial tap device, but it requires no technical know-how, just connecting the AP or your gateway in line and connecting your Wireshark device to the other port, there are only a few (perhaps three) permutations where you can go wrong, and you'll know if you've connected it up wrong (nothing works, and/or you see no packets).
-- Giles Coochey ___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe:https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- Giles Coochey
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- hidden packets Richard Perlman (Aug 19)
- Re: hidden packets Giles Coochey (Aug 19)
- Re: hidden packets Richard Perlman (Aug 19)
- Re: hidden packets Giles Coochey (Aug 19)
- Re: hidden packets Giles Coochey (Aug 19)
- Re: hidden packets Richard Perlman (Aug 19)
- Re: hidden packets Richard Perlman (Aug 19)
- Re: hidden packets Giles Coochey (Aug 19)