Port mirroring and Wireshark

If we have all unmanaged switches is it true we will not be able to view all the network traffic with Wireshark? Was told I could plug a managed switch with port mirroring capability into one of our unmanaged switch to accomplish this.  That does not make sense to me!
WebccAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
It makes sense only when the managed switch is plugged in between the outside feed and the remaining unmanaged switches and will only reflect traffic that goes between the inside to the outside and outside to the inside not sure about intra switch device traffic.

Internet <=> router <=> unmanaged switches

Internet <=> router <=> managed switch with mirrored port <=> unmanaged switches
                                                                                               \ > wireshark connected

It all depends on which traffic you are interested in capturing

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MiftaulCommented:
A switch only forwards traffic to the port the destination device mac address it learns. For the rest of the ports, the frame is not forwarded or seen like it is on Hub.

When we wireshark to capture packets, the wireshark device need to be able to see the frames so it can capture the frames. In a switches environment, when we wireshark, we only see the packets that are comming on our own switchport and the broadcast packets that are trafersing the switch.

for us to capture packets for other devices that are connected to other switchports, we need following.

1. connect the devices to a HUB and run wireshark. In hub, all packets are forwarded to all ports.
2. get a managed switch, that allows port-mirroring or SPAN. We can then mirror a remote port to our own port, so our wireshark can capture the packets.
Don JohnstonInstructorCommented:
If we have all unmanaged switches is it true we will not be able to view all the network traffic with Wireshark?
Yes, This is 100% correct (without port mirroring).
Was told I could plug a managed switch with port mirroring capability into one of our unmanaged switch to accomplish this.
Again, 100% correct.
That does not make sense to me!
As previously pointed out, switches will only send unicast traffic to all ports if the switch does not know what port to use to get to the destination device.  This is referred to as an "unknown unicast" destination.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

WebccAuthor Commented:
So the source would be the router and destination would be where we plug in Wireshark and we can connect the managed switch to the unmanaged switches on any port?  In this configuration we would be capturing most of the traffic on the network.

Internet <=> router <=> managed switch with mirrored port <=> unmanaged switches
                                                                                               \ > wireshark connected
Don JohnstonInstructorCommented:
So the source would be the router and destination would be where we plug in Wireshark and we can connect the managed switch to the unmanaged switches on any port?
That would let you capture the traffic from hosts on the network to/from the internet. If that traffic constitutes "most" of the traffic on the switch, then yes.

The thing about switches and protocol analyzers is that it's very difficult to capture all the traffic. What you have to do is determine what traffic is important (or interesting) and mirror the ports that will handle that traffic.
MiftaulCommented:
Remote port mirroring need to me supported on your switches. In cisco its called RSPAN.

Here you need to connect your pc to a port and mirror another port on the same managed switch. You can not monitor unmanaged switch traffic from the managed switch port even if you mirror the port connecting unmanaged switch. If you connect a hub, thats different and will work.

In other words, the traffic being monitored and the monitoring pc has to be on the same mirror supported switch. Othwise you will not see all traffic.
WebccAuthor Commented:
Got things connected in order to view the traffic we need.  However, the laptop could not access the Internet while connected in this way, is this normal?  Was not getting an IP from DHCP.
arnoldCommented:
Yes, the port to which you are connecting the laptop only has one function to let a network monitoring  tool (wireshark/MS network tool) to see the same traffic that the mirrored port sees.
MiftaulCommented:
While monitoring, I usually connect my PC to LAN and Wireless both and then ensure the metric for WiFi is lower. That way when I am capturing on LAN port, I still have internet.
WebccAuthor Commented:
Thanks Experts!
PaulOffordCommented:
You might be interested in a session I presented at SharkFest 15 on this subject.  I cover 8 or 10 different scenarios for capturing packets.  You can view the session at https://youtu.be/pb1yb1eUlgY
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.