Description:

To analyze the network communication it is often necessary to record network traffic at a switch port. This can be implemented via a port mirroring on managed switches. In doing so the network traffic is mirrored from one or multiple switch ports to another switch port where a network participant records the traffic for later analysis.

This article describes how to configure port mirroring on a GS-3xxx series switch.

Important note regarding the capturing of data traffic on a mirror port via Wireshark on a Windows Computer


The operating system Windows cannot handle VLAN tags. Therefore a network driver is needed to enable VLAN handling. In many cases the VLAN tags are filtered by the driver, so that they are not included in a Wireshark trace of a mirror port. This can complicate the analysis of VLAN problems in a network enormously.

With some manfufacturers settings can be changed in the driver software, so that the VLAN tags are not filtered anymore. With other manufacturers changes have to be made in the registry to achieve that.

Additional information can be found on the Wireshark website.  


Procedure:

1) Connect to the switch via the webinterface and go to the menu Diagnostics → Mirroring.

2) Change the following parameters and click Apply:

  • Monitor Session: Select a monitor session. A maximum of 5 monitor sessions can be used at the same time.
  • Monitor destination port: Select the destination port in the dropdownmenu. A network participant has to be connected to this port which captures the data trffic for later analysis.
  • Port: Select one or multiple source ports whose data traffic is to be forwarded to the destination port and set the Mode to Enabled. In doing so all data traffic is forwarded to the destination port. 

Instead of forwarding all data traffic, this can also be limited to incoming data traffic (Rx only) or outgoing data traffic (Tx only).

The negotiated data rate of the destination port has to be at least equivalent to the negotiated data rate of the source port(s). Otherwise not all network traffic can be recorded which highly complicates the analysis or even renders it impossible. This is definitely to be considered when using multiple source ports. 

Examples:

  • Source port 1 GBit and destination port 1 GBit works
  • Source port 10 GBit and destination port 1 GBit does not work
  • Source ports three times 1 GBit and destination port 10 Gbit works

3) Click on the red disk symbol in the supper right corner to save the configuration as Start Configuration.  

The start configuration is retained even if the device is restarted or there is a power failure.


If the port mirror isn't needed anymore, it has to be deactivated:

  • Set the parameter Monitor destination port to Disabled.
  • Set the Mode for all ports to Disabled.
  • The last step is to save the configuration as the start configuration via the red disk symbol in the upper right corner.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH