tl;dr: what laptop hardware/software config do you recommend for performing raw, wired packet captures?
I wanted to inspect traffic traversing a trunk, so I SPAN'ned the port like so:
monitor session 1 source interface g1/4 both monitor session 1 destination interface g0/45 encapsulation replicate
...where g1/4 is the trunk in question, and g0/45 connects to my laptop.
Starting wireshark on that interface shows a ton more traffic, compared to when I turn off the monitor session. But it looks like I'm not getting all traffic passing the trunk, and Wireshark doesn't report any 802.1q tags. Mostly bcast/mcast traffic, and I guess some ucast traffic not destined for my IP, but...definitely not all raw traffic.
What I tried
- Ensured Wireshark is set to capture in promiscuous mode (it is on by default)
- Found no "promiscuous mode" options in my wired NIC's driver options in Windows
- Found an Intel article describing a registry hack to enable monitor mode, but multiple reboots/permutations gave same results
Best I can tell, my Latitude's built-in NIC (Intel I219-LM) doesn't support full promiscuous mode, at least in Win10, but I couldn't confirm one way or the other.
Edit: stupid new reddit formatting
No comments:
Post a Comment