Where to Capture Packets on my Network

Monday, 08 August 2011 08:45 Colasoft

This is important for those who are new to network analysis because they need to connect the machine to the right device to capture ALL traffic on a WIRED network. The users of the following product are recommended to read this post:

  1. Capsa Free
  2. Capsa Enterprise
  3. Capsa Professional
  4. nChronos Standard
  5. nChronos Free

If you use Capsa WiFi, you can leave alone this part and take a look at Getting Started with Capsa WiFi.

Using Colasoft Capsa network analyzer (aka. packet sniffer, network analyzer, protocol sniffer, protocol analyzer) to capture network traffic to analyze and troubleshoot network problem is an important job for network management. The charm of the packet analyzer software is that you can use them to listen on a cable (or even wireless magnetic signal) and know what the machines are transmitting and communicating with other hosts and services without installing anything backdoor or keylogger on those machines like a hacker. If you want to use Capsa to capture your network traffic, you need to capture on the right device, because you can’t just install it on a system like common software and capture traffic from other machines. This blog post covers the basics that where you should capture with Capsa network analyzer on your network so you get traffic to your interest.

Whose Packets Do You Want to Capture?

We all know the nouns, hubs, switches, routers, firewall, etc., but there is possible that some of us may not know how the packet analyzers process the packets. So we should always think first which hosts’ packets we want to sniff, and on which device we should connect the machine with the packet analyzer software to capture traffic. This’s the first discipline. You can’t analyze and troubleshoot into network packets unless you capture them.

It’s quite often that someone new comes to Capsa network analyzer, he installs it on his PC. And then he fires it up expecting to capture all packets traversing through his network. Well, he’ll be disappointed that he can only see packets of his own machine in today’s network. But back to the 1990’s, when hubs were popular then, he could capture all traffic of a hub network without a problem. So today, besides hubs, we have more devices, switches, routers, firewalls, etc. Let’s see how we can capture packets if we are connected with these networking devices.

Capture Particular PC’s Packets

This is the simplest scenario that you are a network administrator suspecting the guy at marketing dept. is infected with a worm or virus because his machine keeps sending large volume of packets to consume the network bandwidth. So it’s a brilliant idea that you install a packet analyzer tool on his machine and look into his traffic pattern to prove it. Or you may just curious what applications are consuming your network bandwidth. And the answer to capture packets of a particular machine, you only need to install Capsa network anlayzer on your system. What is really required is a network interface card (NIC) which is able to run in promiscuous mode.

Capsa a Computer's Packets

Economic Choice - Use Dumb Hub

Hubs are rarely these days, but if you're fortunate enough to own one of those old jewels then make sure to hold on to it. If you have a 100M network, a cheap hub would be the perfect choice to be used to intercept the network packets. You might take advantage of ebay to find a second-hand hub if you are lucky enough. Be careful, some vendors tell you it’s a hub, but in fact it’s a switch.

A Dumb Network Hub

So when you connect your machine (with Capsa network analyzer installed) to any port on the hub, you can sniff packets of all machines because the hub repeats all Ethernet frames arriving at on port to all other ports of the hub. The figure below shows how to capture packets on a hub. For example, in your home network, all your machines are connected with cables to a home router, and the router connects to the Internet. In this network, we can place a hub behind the router, and move all cables to the hub. So now, you can use any port to sniff all packets with Capsa network analyzer.

Use Hub to Intercept Network Traffic Packets

Cons of Capturing Packets on Hub

But there is a downside of using a hub. Because the hub repeats all packets to all ports, it increases packet collisions. And packet collision slows down your network connection rate. If you use a packet sniffer software to capture the packets, you will see more TCP retransmissions. So make sure you take out the hub and put the network back to its original topology when you finish packet sniffing.

Configure Port Mirroring (SPAN) on Managed Switch

There are two categories of switches, managed switch and unmanaged switch. It’ll be great if you have a managed switch over a hub. So as we mentioned at the beginning of the post, you can only sniff traffic of your own PC and some broadcast and multicast traffic, if you sniff on a PC which is connected to a switch (no matter managed or unmanaged ones).

Only Sniff Own Packets and Broadcast packets

How can we sniff all packets on a switch? Don’t worry, the managed switches have a function called Port Mirroring. While this function has different names depending on the vendor, Cisco calls it SPAN. You can go to the switch management portal, and configure the switch to copy all sent (Tx) and received (Rx) frames, (or one part of it), of particular ports to a monitor port. You can connect your protocol analyzer software to the monitor port and sniff the traffic. The figure below shows how to use Capsa network analyzer to sniff all traffic on a managed switch with port mirroring.

Use Port Mirroring SPAN to Sniff Packets

Notes on Sniffing Traffic on Managed Switch Port Mirroring

  1. On some switches you can also configure to copy traffic of all ports to a monitor pot, but this causes duplicate packets since each packet will be seen twice, the first time on the receive port and then another port it leaves on another port. It’s therefore usually wise to monitor only the uplink port if you wish to monitor all hosts connected to the switch.
  2. You should also be careful using port mirroring over a high load switch. We shouldn’t forget that the primary functionality of a switch is to switching and forwarding traffic from the source port to the destination port rather than copying or mirroring the packets. This means if the switch’s load is high, it will prioritize switching the frames from source port to destination port over copying them to the monitor port. So on a high load switch, you may not get all traffic on the monitor port, and it’s unacceptable if you are on a network forensics investigation. So if this is your case, you may consider a network tap to precede your task.

Capture Unmanaged Switch Traffic

If your switch isn’t a managed switch but an unmanaged switch, you have two choices.

Intercept Traffic From Unmanaged Switch

Use Network Tap to Capture Packets

What is a network tap? A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen.

Network Tap

Using a network tap is the most reliable way to sniff traffic, which is easy to use and doesn’t affect your network performance (comparing with the hub and the switch’s port mirroring). The function of a network tap is to make a copy of each frame on a wire. Typically you insert a network tap between two nodes of your network, such as between the switch and the router, and you get all traffic between these two devices and it doesn’t affect the quality of the line. The figure below shows how to use a network tap to sniff traffic of the uplink of an unmanaged switch.

Use Network Tap to Intercept Network Traffic

Cons of Capturing Packets with Network Tap

But, network taps are expensive, and a good network tap will cost you more than 1,000 dollars, but it’s a reasonable choice between network monitoring reliability and budget. If you are considering investing in a network tap I recommend an aggregation tap, which is able to merge uplink and downlink traffic to a single monitor port. So you don’t need to have two NICs on your sniffing computer.

If you need any help on deciding where to capture network packets on your network, please leave a comment and we are happy to give you advice.

Last Updated on Monday, 05 September 2011 08:40