Port mirror contains non-mirrored traffic

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Port mirror contains non-mirrored traffic

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Port mirror contains non-mirrored traffic
Port mirror contains non-mirrored traffic
2017-06-13 15:39:09
Model :

Hardware Version :

Firmware Version :

ISP :

Using a SG105E switch in mirror mode. If the mirroring port is disabled via 'Port Settings' then it does not pass any mirror traffic even if selected as the mirror port in the 'Port Mirror' page. But if enabled in 'Port Settings' it will still send/receive normal traffic (broadcasts etc) in addition to the selected mirror traffic.

It would be more useful to have the mirror port a 'pure mirror' rather than have to try to separate mirrored from normal port traffic. Is this possible?
  0      
  0      
#1
Options
2 Reply
Re:Port mirror contains non-mirrored traffic
2017-08-31 10:15:58
You can suggest it to the Support Team of TP-Link. But as I know, even the Managed Switch cannot do what you said, a pure mirror.
  0  
  0  
#2
Options
Re:Port mirror contains non-mirrored traffic
2018-10-01 02:44:29

We also want to use a TP-SG105E as a pure mirror port. Ideally, by connecting a laptop running Windows 7 & Wireshark with PCAP in promiscuous mode to the mirroring port and capturing all ingress & egress packets to/from the configured mirrored ports.

 

For this to work as desired, we don't want the packet sniffing laptop to pull an IP address or send any traffic of its own to the mirroring port. It should be in receive only mode, and simply receive all of the packets that the switch sends to the mirroring port.

 

Since the mirroring port connection is at 1GB speed, receive only cannot be implemented by cutting any of the ethernet cable wiring pairs. (I don't think)

 

Not knowing precisely how the laptop NIC running under PCAP in promiscous mode communicates with the TP-Link mirroring port (media access), I am not sure how to passively receive packets without actually pulling an IP address on the same LAN subnet as the mirrored ports. (And, of course, once the laptop pulls an IP address, then it will send/receive its own packet traffic which will end up in the packet capture log comingled with the mirrored port traffic. Plus the laptop would be plainly visible to any malware on any PC in the LAN subnet and, therefore, subject to attack. Whereas in receive only mode with no IP address, the sniffer laptop would be fully stealthed.)

 

Has anyone figured out how to configure the TP-SG105E as a pure mirror capture device when paired with a Windows laptop?

  0  
  0  
#3
Options