asked on

Preventing Loops when Creating a Sniffer

After reading several articles, I have not found a simple answer to a simple question. I want to setup a sniffer. I what to use one server with two NICs, one NIC will be receiving mirrored traffic and the other NIC will allow me to remote into the server and view the Wireshark captures. My fear is that I will create a loop. I have read several articles. One the sticks out is not giving a gateway address to the receiving NIC. How would I properly setup my NICs to prevent creating a loop?

ASKER CERTIFIED SOLUTION

David Favor

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

tmaususer

ASKER

I was thinking of a network loop causing a broadcast storm. I just want to create a sniffer using SPAN mirroring.

David Favor

You'll have to refer to your device docs to see if this is possible.

Most... recent devices allow both Port Mirroring (of some other port) along with any other traffic.

Some devices block all other traffic.

So the question is if your device support this or not.

I still can't see where you'd end up with any problems.

And... the easy way to know for sure, is to setup + test your device config.

Then just fix any oddities. Likely you can figure this out, or open a support ticket with your device manufacturer.

David Favor

https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/ provides a good overview of how to accomplish this using an Ubuntu iptables setup.

tmaususer

ASKER

My device is Cisco and SPAN by default eliminates viewing on the same port as receiving. This is a production environment so I want to avoid to much playing. I should have to contact Cisco to setup a simple sniffer. I think I don't know how to express what I am talking about.

tmaususer

ASKER

I forgot to mention this is a 2016 Microsoft server.

tmaususer

ASKER

Thank you for the informaton.

David Favor

You're welcome!

Good luck!