Thursday, September 27, 2018

Wired packet capture hardware / best practices?

tl;dr: what laptop hardware/software config do you recommend for performing raw, wired packet captures?

I wanted to inspect traffic traversing a trunk, so I SPAN'ned the port like so:

monitor session 1 source interface g1/4 both monitor session 1 destination interface g0/45 encapsulation replicate 

...where g1/4 is the trunk in question, and g0/45 connects to my laptop.

Starting wireshark on that interface shows a ton more traffic, compared to when I turn off the monitor session. But it looks like I'm not getting all traffic passing the trunk, and Wireshark doesn't report any 802.1q tags. Mostly bcast/mcast traffic, and I guess some ucast traffic not destined for my IP, but...definitely not all raw traffic.

What I tried

  1. Ensured Wireshark is set to capture in promiscuous mode (it is on by default)
  2. Found no "promiscuous mode" options in my wired NIC's driver options in Windows
  3. Found an Intel article describing a registry hack to enable monitor mode, but multiple reboots/permutations gave same results

Best I can tell, my Latitude's built-in NIC (Intel I219-LM) doesn't support full promiscuous mode, at least in Win10, but I couldn't confirm one way or the other.

Edit: stupid new reddit formatting



No comments:

Post a Comment