TOPIC: Using a 2nd network card for monitoring traffic

I want to configure my Cisco switch with port mirroring and sent that data to be analyzed by a PC running Wireshark.

Is there a way for me to use a 2nd NIC in the computer on the same subnet to accept the mirrored traffic or would this be a waste? I would like to be able to still surf the Internet/access the network, while I am monitoring traffic on the 2nd NIC.

Let me know what you think. Thanks!

Cannot see why not, you dont actually need a valid IP Address in order to run Wireshark as it runs in permiscious mode anyway

Smurf is right, you actually don't need an IP address on your second NIC. When Wireshark is installed, the WinPcap application installs it's own TCP/IP stack which runs in promiscuous mode. You can then run Wireshark on your second interface with TCP/IP disabled or unchecked in your network properties. I actually just uncheck everything. This is also nice because it would prevent any traffic originating from your second NIC from showing up in your packet captures (DHCP, ARP, NetBIOS, and other chatty protocols).

I do this on a 2003 server with 2 cards. One is the 'domain' card and has the full IP setup on it with DNS entries and a default gateway. The second just sits there as a card, connects to my port mirror destination port on the switch stack and is only for monitoring

I added the second card with no IP address and unchecked any protocols.

Interesting that Windows shows that the network cable is unplugged however I am still receiving frames.

What causes the link detection to show no cable?

That's a good question, I never did research why that is. I see the same thing, but never really looked into it.