baleman2
asked on
How do I use Wireshark to capture switch port traffic?
I have an Extreme Switch that is capable of port monitoring.
I'll be using a laptop to connect to port 11 on this switch. I'll be monitoring port 13 that has a VOIP switch plugged in to it. The purpose is to capture the traffic of the VOIP switch because that VOIP switch is losing connectivity to our network at random.
On the Extreme switch, all I have to do is select port 11 as the "monitoring" port and select port 13 as the port I want to monitor. This part is easy enough.
I'd like to use Wireshark as the utility to capture the traffic. Installing Wireshark on the laptop I'll be plugging in to port 11 is no problem. However, tutorials I've seen so far are not specific enough to tell me "how to" set up Wireshark to capture/store the traffic that's traveling across port 13.
Please advise.
I'll be using a laptop to connect to port 11 on this switch. I'll be monitoring port 13 that has a VOIP switch plugged in to it. The purpose is to capture the traffic of the VOIP switch because that VOIP switch is losing connectivity to our network at random.
On the Extreme switch, all I have to do is select port 11 as the "monitoring" port and select port 13 as the port I want to monitor. This part is easy enough.
I'd like to use Wireshark as the utility to capture the traffic. Installing Wireshark on the laptop I'll be plugging in to port 11 is no problem. However, tutorials I've seen so far are not specific enough to tell me "how to" set up Wireshark to capture/store the traffic that's traveling across port 13.
Please advise.
Jorge Diaz
Baleman, what specifically is not working for you? To capture traffic you only need to select the interface connected to your switch and start capture. When you stop the capture you'll have the option to save it or you can configure wireshark to save to a file and create new files after x amount of storage.
ASKER
I've never used Wireshark (or any other sniffing software) and I've got to drive several miles to set this up onsite. I wanted to get a clearer picture of setup before I go there. I want to capture traffic on ONLY one port as described above. Once the laptop is connected to the switch, I don't know how to "tell" Wireshark to start sniffing that particular port.
In your description, is "interface" equal to my "port"? If so, will Wireshark present to me an option to scan a particular port.
In your description, is "interface" equal to my "port"? If so, will Wireshark present to me an option to scan a particular port.
it will capture traffic of the network interface it is physically connected to. So if you're connected to port 11 it will capture that traffic
ASKER
Automatically, i.e., with no instructions from me telling Wireshark what to do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jorge: Thanks for your help.
One last question. The cause for all this packet sniffing in the first place is because our VOIP phone switch is losing connectivity to our network several times a day. This is a random occurrence - no way to guess when this interruption will occur. So, the VOIP support group wants us to capture data from the port that the VOIP switch is plugged in to. This may mean capturing 4-8 hours of data until there's an interruption in VOIP service. At that point, they want me to stop the capture, save the file, and send it to them. Having never used any utility like Wireshark before, how large is a file that captures 4 - 8 hours of data going to be? Is this feasible?
One last question. The cause for all this packet sniffing in the first place is because our VOIP phone switch is losing connectivity to our network several times a day. This is a random occurrence - no way to guess when this interruption will occur. So, the VOIP support group wants us to capture data from the port that the VOIP switch is plugged in to. This may mean capturing 4-8 hours of data until there's an interruption in VOIP service. At that point, they want me to stop the capture, save the file, and send it to them. Having never used any utility like Wireshark before, how large is a file that captures 4 - 8 hours of data going to be? Is this feasible?
hard to tell, it depends on how much traffic traverses the interface. If I were you I'd configure the output option in Wireshark to create a new file every 1 gigabyte. that way you don't have to babysit the laptop. have you gone to the official's wireshark website? they have pretty useful resources and how to. I'd also run continuous ping to and out the server if possible, I'd also setup another host in the same segment or run pings to as well. You'd like to ping your default gateway and an external host.
Ah that requires a bit extra...
You can only monitor the interface the VOIP device is on IF you can run wireshark on that VOIP device.
If you cannot you need to be able to use a Copy/Mirror port feature on the switch where it will send all data sent to or received from a certain port (f.e the VOIP system) to also be sent to the "copy/mirror" port. (where you connect your laptop/system with wireshark.)
The VOIP port will work as normal, the copy/mirror port can only send all data to you lapt/top system it will not receive data (one way traffic).
So you laptop/system cannot use that port for normal work.
You can only monitor the interface the VOIP device is on IF you can run wireshark on that VOIP device.
If you cannot you need to be able to use a Copy/Mirror port feature on the switch where it will send all data sent to or received from a certain port (f.e the VOIP system) to also be sent to the "copy/mirror" port. (where you connect your laptop/system with wireshark.)
The VOIP port will work as normal, the copy/mirror port can only send all data to you lapt/top system it will not receive data (one way traffic).
So you laptop/system cannot use that port for normal work.
ASKER
To noci: The Copy/Mirror feature you describe is available on our switch as I explained in the original question and was enabled. My laptop (with Wireshark installed on it) is plugged into port 11 of that switch. The VOIP device is plugged in to port 13 of that same switch. This setup is now capturing data from the VOIP device.
To Jorge: Your responses were correct for all my questions. I also set the file size at 9 megabytes to allow for these files to be emailed to my vendor's tech support team. Each 9 mb file carries a time stamp; so, when the VOIP system goes down, I'll be able to send the correct 9 mb file to them based on the time stamp of the file and the time that the system goes down.
To Jorge: Your responses were correct for all my questions. I also set the file size at 9 megabytes to allow for these files to be emailed to my vendor's tech support team. Each 9 mb file carries a time stamp; so, when the VOIP system goes down, I'll be able to send the correct 9 mb file to them based on the time stamp of the file and the time that the system goes down.
ASKER
Thanks to both you guys. Because Jorge provided me all the info required, I'm listing him as the expert who helped me most.
Be sure to limit the files to 7 MB, the encoding causes the files to grow with 30% (the encoding base64 is exactly 4/3 * original size)
You will then endup with attachment of 9.3MB which still allows for enough space for headers etc.
(I wasn't aware. monitoring is equivalent to copy/mirror )
You will then endup with attachment of 9.3MB which still allows for enough space for headers etc.
(I wasn't aware. monitoring is equivalent to copy/mirror )