TP-Link Community > Knowledge Base > How to Use Port Mirroring to Capture Packets in the Controller

How to Use Port Mirroring to Capture Packets in the Controller

Released On: 2023-08-29 08:12:22Last update time: Thursday

Port Mirroring duplicates Ethernet packets from a selected source port to a designated destination port without disrupting other traffic on the network. This allows packets to be captured on the destination port for troubleshooting purposes.

 

In practical scenarios where it is not possible to directly observe specific ports, we often use a combination of port mirroring and packet captures to analyze the issue. Using the following topology as an example, we will learn how to configure port mirroring in Omada routers or switches operating in controller mode.

 

This article uses Wireshark as a packet analyzer. Wireshark is a free, open-source packet analyzer commonly used for network troubleshooting, analysis, and protocol development. You can download Wireshark from their official website.

 

1. Port Mirror: Router

Applicable models: ER605 v2, ER7206 (Requires router gateway firmware released after Controller 5.6)

 

 

Mike set up a client-to-site L2TP VPN on the Controller. However, after completing the configuration, he discovered that the VPN connection was not working properly. To troubleshoot the issue, we need to identify the specific step in the L2TP negotiation process where the problem occurs. To do this, we require the router's ingress and egress flow information in order to capture the relevant packets using port mirroring.

 

 

1) Go to Devices, and click on the row where the router is located to load the Properties window. And then click the Ports.

 

 

2) Select the port LAN1 (port 4) on which the PC (Controller) is connected to the router. Then click the Edit button. 

 

 

 

3) Configure the basic parameters for port mirroring.

  • Enable the Mirroring.
  • Specify the selected port as Port 1 (WAN port).
  • Specify the Mirror Mode as Ingress and Egress.
  • Click Apply

 

 

 

 

4) After successfully applying Port Mirroring, you will notice a small eye-shaped icon next to LAN1.

 

 

 

Verification:

 

Typically, when a PC is connected behind the LAN, it is unable to capture data packets with source or destination addresses that match the IP address of the WAN port. However, if we observe the IP address of the WAN port in the data packet, it confirms the successful configuration of our port mirroring.

Mike utilized port mirroring to capture the message displayed below. Within the captured message, the IP address 192.168.1.104 pertains to the L2TP client. Analyzing the message reveals an issue during the initial phase of the ISAKMP negotiation. (The command 'ip.addr == xx' is commonly employed to filter packets associated with specific IP addresses.)

 

 

After investigation, Mike discovered that an incorrect password had been entered on the L2TP client. This was subsequently rectified, resulting in the successful completion of the negotiation process, as depicted in the figure below.

 

 

 

 

2. Port Mirror: Switch

Applicable models: Smart and Managed switches (Both TL-SG-2 series and TL-SG-3 series switches support)

 

 

 

Jack's phone can connect to the EAP's wireless network, but it is unable to receive an IP address from the router. Upon investigation, it has been discovered that the EAP is unable to obtain an IP address. Since the EAP directly forwards the DHCP packets to the router, the monitoring PC cannot capture packets by default. Therefore, we need to enable the capturing of the Ingress and Egress flow of Port1 through port mirroring.

 

 

1) Go to Devices, then click on the desired switch to load the Properties window, then click Ports.

 

 

2) Select the port that the PC is connected to on the switch, then click Edit.

 

 

3) Configure the basic parameters for port mirroring.

  • Enable Profile Overrides.
  • Specify the Operation as Mirroring.
  • Specify the selected port as Port 1 which is connected to the router (DHCP Server).
  • Click Apply

 

 

 

 

4) After successfully applying Port Mirroring, you will notice a small eye-shaped icon at Port 4.

 

 

 

Verification:

 

Normally, a PC can only capture the ingress and egress traffic of the corresponding switch port. However, if the packet capture data includes the data passing through other ports, such as the data from the wireless client to the external network or gateway, it indicates that the port mirroring function of the switch has been successfully configured.

Jack successfully captured the following packets using the aforementioned switch port mirroring setup. It was observed that EAP only sends DHCP Discover packets but does not receive other packets, such as DHCP Offer. This indicates that the router is not assigning an IP address to EAP. (The top bar command 'dhcp' is often used to filter packets related to the Dynamic Host Configuration Protocol.)

 

 

Jack took a thorough look and discovered that he had mistakenly disabled the DHCP service for the EAP. Once he made the necessary configuration changes, the DHCP process completed, and the device was granted an IP.

 

 

0
Comment
upload
    upload
      About Us
      Press
      Copyright © TP-Link Systems Inc. All rights reserved.