|How to monitor remote traffic|
|Written by Mike James|
|Monday, 12 April 2010|
Page 2 of 2
To use a network monitor to view other traffic we have to do more than just enable p-mode. We have to do some network engineering. The simplest solution is to place the monitoring machine logically next to the router and connect the pair of them via a hub. This works and it's a useful technique but it can be difficult to find a hub if you don't have one sitting around.
A more modern approach is to use a managed switch that supports port mirroring. In this case you can use the switch's management software to mirror all of the traffic on the port you want to monitor onto the port that your monitoring machine is connected to. Notice that you have to connect the machine directly to the port as placing a switch between the two would produce the same problem. The switch would once again only pass packets to the monitoring machine that were addressed to it. You can use multiple managed switches to set up a chain of mirrored ports but this is in most cases excessively complicated - simply dedicate one port on a managed switch as the monitor port.
Mirror = send the traffic of one port to another
Assuming you have a managed switch that the router (port x) and the monitoring machine (port y) are directly connected to then to monitor the traffic going to the router you simply set port x to mirror to port y. Then on the monitoring machine you select p-mode and start collecting data.
In this case after a few seconds you should see a large number of conversations being listed under Other Traffic/Unknown. You will still see all of the local traffic, i.e. between the monitoring machine and the rest of the network.
At this point you really need to know about filters because the amount of traffic that you are going to see will have increased. You can apply two types of filter - capture and display. A capture filter specifies what packets will be captured and the display filter applies post capture processing so that you can analyse the data you have collected. Apart from this difference filters work in the same way.
The simplest way to find out how filters work is to customise the standard filters. Select the Capture Filter tab, click on the folder icon and select Standard Filters, Addresses, IP4 Addresses. This will load a filter that only captures packets to or from the specified IP address. The filter initially reads:
// Show traffic To or From a specific IPv4 address:
// 192.168.0.100 <-> // Show traffic To or From a specific IPv4 address:
// 192.168.0.100 <-> ANY
IPv4.Address == 192.168.0.100
and all you have to do is customise the IP address to the address you are interested in capturing.
Monitoring in action - click to view
After you have made the customisation, click the Verify icon to check that the filter works and as long as it does click the Apply icon. Now when you start the capture you will only see packets to/from the specified IP address.
You can create more complicated filters for IP addresses, ports and types of traffic and the simplest way to find out about them is to look at the supplied filters and edit them to produce what you need.
After you have used the monitor to capture the packets you can load and use an Expert to perform an analysis of the data for you - and this is covered in the third article on Network Monitor 3.3.
|Last Updated ( Sunday, 09 May 2010 )|