Capturing packets in a switched environment
Capturing traffic towards and from Wireshark PC is simple enough; however, for network troubleshooting you require to capture various kinds of network traffic, such as what originates from any of the systems in the network, the entire network traffic from your network towards the Internet, etc.
Capturing traffic in a switched environment is not easy. And here’s why. Let me start with the difference between an Ethernet hub and an Ethernet switch. The hub sends all packets received on a particular port to all the other ports. The switch forwards traffic only to the designated port. To achieve this, the switch maintains a table of MAC addresses (Layer 2 address corresponding to the port binding), and forwards the packet to the interface to which the device with the destination MAC address is connected. If the destination MAC is not known, it broadcasts to all ports (except the sender port), asking for the port that has the device with the destination MAC. Once a confirmatory reply is received, the actual packet is forwarded to the corresponding port only.
From a security perspective, an Ethernet switch is definitely better (than the hub). However, the feature ensuring security poses a challenge while capturing network traffic. In a switched network, the default capture will contain packets to and from the Wireshark machine and broadcast traffic only. There are several ways to overcome this: Hubbing out: Replace the switch with a hub and capture traffic by connecting the Wireshark system to the hub. Using Wiretap: A‘tap’ is used to capture communication between two end points. The primary concern while inserting Wiretap is that it should not disturb any traffic between two hosts. Wiretap achieves this by sitting between two end points (the switch and device) and providing two Ethernet outputs. These are connected to the Wireshark computer system with dual Ethernet. This system captures all traffic between two nodes without disturbing existing traffic. If this tap is inserted between the firewall and the switch, it will capture all Internet traffic. Typically, this box can be constructed by wiring four information outlets. See the wiring diagram for more details (Figure 2).
1.
2.