We help IT Professionals succeed at work.

Port mirroring and Wireshark

First do you need to setup port mirroring on a switch in order to capture everything on the network or just a NIC running in promiscuous mode?

Tried to setup port mirroring on a Netgear switch: (Spare switch)
Connected the corporate network to the source port (flat network setup, no VLANs)
Connected the sniffing PC to the designation port

Could not connect to the corporate network.
Tried to configure a static but still could not communicate through the source/destination ports.  However if the PC was plugged into any other port then I could access the network.
Watch Question

Distinguished Expert 2019
Port mirroring needs to be setup on the switch where the data is not on a secondary switch as it will only mirror data received.

Main switch port 1 is the feed from the router.
You would configure port x as a mirror of port 1.
You connect your wireshark system to port X and see everything that flows in and out of the network.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Port mirroring only mirrors a single port, not all the traffic on the switch (with exception of VLANs, which can be mirrored as a whole). Depending on the amount of traffic mirrored, the mirror port will not be usable for any regular traffic.


If I just plug in without mirroring will I be able to see all traffic or just traffic to and from my computer?
Distinguished Expert 2019

On a switch you would commonly see broadcasts, multicasts and what is directed to and is being sent from your system.
Assuming a switch with a single LAN connecting all the ports.
Then, when you set up a mirror port, that port is *disconnected* from the other ports completely.  It's as if it's on its own VLAN.
Then, when you mirror a LAN port or ports INTO the mirror, you will see only the things that are mirrored.

What I do is this:
1) Set up a workstation on the LAN for general network management purposes.
2) Add a NIC to that computer to monitor mirror ports.  For this NIC it need not have an IP address at all and you can turn off TCP/IP.  It's only job is to listen to what's on the switch mirror port.
3) Add a cable from the mirror port to the added NIC.

So, you need a separate cable to access any mirror port.

With the two NICs (or more) you can have access to the LAN and the internet using the normal NIC on the workstation AND you will have access to any connected mirror port using one of the added NICs.

Wireshark can be set to monitor any of the NICs.

Another approach is to take a laptop to the switch and connect a cable from the laptop to the mirror port on the switch.  You won't expect for the laptop to be on the LAN or to see the internet.  It will only see what's directed to the mirror port on the switch.