Introduction
Anyone who’s worked in network administration or information security for any length of time is familiar with the need to analyze network traffic. Protocol analyzers like Wireshark make this easy, but what do you do when you need to analyze traffic on a device that doesn’t have Wireshark installed?
Fortunately, there is a simple solution: you can use Wireshark to view network traffic on any device, even if it doesn’t have Wireshark installed. All you need is a Windows or Linux machine with an Ethernet port and a copy of Wireshark.
Here’s how it works:
First, connect your computer to the device whose traffic you want to capture using an Ethernet cable. Then, open up Wireshark and begin a capture. Next, on the device that you’re capturing traffic from, enable port mirroring (also called port spanning) and configure it to mirror traffic to the port that your computer is connected to. Finally, sit back and watch the traffic flow in to Wireshark. When you’re done, stop the capture and save the results for analysis.
It’s really that simple! In this article, I’ll show you how to set up port mirroring on some common networking devices and then how to use Wireshark to view the mirrored traffic. Let’s get started!
Enabling Port Mirroring on Network Devices
In order for this technique to work, you must first enable port mirroring (also called port spanning) on the device whose traffic you want to capture. This feature is available on most managed switches and routers; however, the steps for enabling it vary from one manufacturer to another. I’ll show you how to enable port mirroring on some common networking devices from Cisco, Juniper, and MikroTik. If your device isn’t listed here, consult its documentation for instructions on how to enable port mirroring.
Cisco Switches
Port mirroring on Cisco switches is accomplished using the monitor session command. This command has many options; however, for our purposes we only need to concern ourselves with three of them:
The type of session we want to create (either ınternal or ınterface)
The source interface from which we want to mirror traffic
The destination interface where we want the mirrored traffic sent
