Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Using a 2nd network card for monitoring traffic

Using a 2nd network card for monitoring traffic 7 years 8 months ago #28962

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I want to configure my Cisco switch with port mirroring and sent that data to be analyzed by a PC running Wireshark.

Is there a way for me to use a 2nd NIC in the computer on the same subnet to accept the mirrored traffic or would this be a waste? I would like to be able to still surf the Internet/access the network, while I am monitoring traffic on the 2nd NIC.

Let me know what you think. Thanks!
The administrator has disabled public write access.

Re: Using a 2nd network card for monitoring traffic 7 years 8 months ago #28963

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Cannot see why not, you dont actually need a valid IP Address in order to run Wireshark as it runs in permiscious mode anyway
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Using a 2nd network card for monitoring traffic 7 years 8 months ago #28967

  • RA1313IT
  • RA1313IT's Avatar
  • Offline
  • New Member
  • Posts: 19
  • Karma: 0
Smurf is right, you actually don't need an IP address on your second NIC. When Wireshark is installed, the WinPcap application installs it's own TCP/IP stack which runs in promiscuous mode. You can then run Wireshark on your second interface with TCP/IP disabled or unchecked in your network properties. I actually just uncheck everything. This is also nice because it would prevent any traffic originating from your second NIC from showing up in your packet captures (DHCP, ARP, NetBIOS, and other chatty protocols).
The administrator has disabled public write access.

Re: Using a 2nd network card for monitoring traffic 7 years 8 months ago #28970

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
I do this on a 2003 server with 2 cards. One is the 'domain' card and has the full IP setup on it with DNS entries and a default gateway. The second just sits there as a card, connects to my port mirror destination port on the switch stack and is only for monitoring
The administrator has disabled public write access.

Re: Using a 2nd network card for monitoring traffic 7 years 8 months ago #28991

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I added the second card with no IP address and unchecked any protocols.

Interesting that Windows shows that the network cable is unplugged however I am still receiving frames.

What causes the link detection to show no cable?
The administrator has disabled public write access.

Re: Using a 2nd network card for monitoring traffic 7 years 7 months ago #29047

  • RA1313IT
  • RA1313IT's Avatar
  • Offline
  • New Member
  • Posts: 19
  • Karma: 0
That's a good question, I never did research why that is. I see the same thing, but never really looked into it.
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup