Port Mirror not showing packets
Hey guys so i did setup a port mirror port 1 to be mirrored to port 6 and port 6 is in my server (proxmox) and i have linux bridge for it and i have it in kali linux to see the traffic going in/out from port 1 but wireshark doesnt show anything useful from that interface no pings no dns from ips all i see is random like realtek protocol and arp but nothing what i want
as you can see in the image ping doesnt show
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @DaYroXy
Thanks for posting in our business forum.
DaYroXy wrote
@Clive_A Hey, thanks for replying of course i know that wireshark is realtime it doesnt matter if i use filters or not there are no traffic that is mirrored most of the traffic is just arp.
and my setup is like that i have my router connected to the switch on switch port1 and switch port4 connected to windows switch port 3 connected to the server and port 6 is the mirrored traffic also plugged to server so all traffic from port1 should be in port6 i have both port6 and 1 connected to kali and when i capture the interface that is using port6 i wont get the data that i really want like icmp or nmap for example i want to setup IDS on the mirrored data. So when pinging from windows to the gateway or anything that has to pass to the router first it just doesnt get captured
I would assume that this is a problem with your NIC or Wireshark.
As you have multiple NICs and VM, you should be careful with your setup. You are only getting the ARP and broadcast packets which is not normal. You may not select the correct card.
I have a 105E and I don't think I am seeing the same thing. If you still cannot figure this out, I recommend you do a test with the regular PC and make sure you've selected the right card.
- Copy Link
- Report Inappropriate Content
Hi @DaYroXy
Thanks for posting in our business forum.
You should use filter icmp to find out if there is any ping.
You ping 4 times and the Wireshark results are real-time if you do not stop capturing. The ping may be pushed up.
And, your way of asking this is weird. You are using Windows and you ping 10.0.0.1, and showed me a picture of the Kali. I don't understand it.
Do you misunderstand the mirroring and mirrored ports?
- Copy Link
- Report Inappropriate Content
@Clive_A Hey, thanks for replying of course i know that wireshark is realtime it doesnt matter if i use filters or not there are no traffic that is mirrored most of the traffic is just arp.
and my setup is like that i have my router connected to the switch on switch port1 and switch port4 connected to windows switch port 3 connected to the server and port 6 is the mirrored traffic also plugged to server so all traffic from port1 should be in port6 i have both port6 and 1 connected to kali and when i capture the interface that is using port6 i wont get the data that i really want like icmp or nmap for example i want to setup IDS on the mirrored data. So when pinging from windows to the gateway or anything that has to pass to the router first it just doesnt get captured
- Copy Link
- Report Inappropriate Content
Hi @DaYroXy
Thanks for posting in our business forum.
DaYroXy wrote
@Clive_A Hey, thanks for replying of course i know that wireshark is realtime it doesnt matter if i use filters or not there are no traffic that is mirrored most of the traffic is just arp.
and my setup is like that i have my router connected to the switch on switch port1 and switch port4 connected to windows switch port 3 connected to the server and port 6 is the mirrored traffic also plugged to server so all traffic from port1 should be in port6 i have both port6 and 1 connected to kali and when i capture the interface that is using port6 i wont get the data that i really want like icmp or nmap for example i want to setup IDS on the mirrored data. So when pinging from windows to the gateway or anything that has to pass to the router first it just doesnt get captured
I would assume that this is a problem with your NIC or Wireshark.
As you have multiple NICs and VM, you should be careful with your setup. You are only getting the ARP and broadcast packets which is not normal. You may not select the correct card.
I have a 105E and I don't think I am seeing the same thing. If you still cannot figure this out, I recommend you do a test with the regular PC and make sure you've selected the right card.
- Copy Link
- Report Inappropriate Content
Hello! first of all thank you for your response and im sorry for late reply and i think you may be correct i did plug it into my own pc and tried to do stuff on the server and infact the traffic is mirrored im not sure that the if the issue is from proxmox or the nic these are the one i have on the server: 4xEthernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15) and when i tried on my pc, intel ethernet connection I219-V i got the traffic that im looking for. kinda of not sure of where the problem could be nic or the proxmox
*EDIT* turns it proxmox linux bridge was causing issues i did pass it as PCI to the VM now i can capture all traffic, thank you so much :))
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 374
Replies: 4
Voters 0
No one has voted for it yet.