Where and How to Capture Packets?
General considerations
Before capturing packets to troubleshoot a network issue, some elements needs to be investigated. The objectives is to get the more information as possible on the network environment before capturing the packets.
Here are listed some elements we should take a look at:
Who is impacted?
When this problem arrives?
What applications are impacted?
What servers are they interacting with?
What network path the packets are traversing?
Capture in a Switch Environment
Switch can make the packets capture difficult, but different methods are proposed:
Wireshark installed on the endpoint
We can install Wireshark on the endpoints under test. However, this gives the server another workload. This is not the preferred method.
SPAN session/port mirroring
We can tell the switch or router to copy all packets going to and from a specific port to a mirroir port that is attached to a monitor tool.
The image below illustrates port mirroring. If we want to capture the traffic between the workstations 1 & 2, we need to choose the port(s) to be mirrored. In the image below, the mirrored port is the one attached to the workstation 1. All packets that come from and is going through this port is going to be copied and sent over port #8, which is a port on the switch dedicated to receive mirrored traffic, where our attacker machine is connected to. This way we will be able to capture and analyze the traffic between the two devices.
The cons of this is that we may overload the SPAN port with traffic if the traffic to be mirrored is coming from multiple ports and interfaces.
TAP
The third method to get packet visibility is to install a TAP (Test Access Point) device in the network path between two nodes. Similar to the SPAN method, the TAP method involves the replication of the traffic. A Test Access Point is physically installed on the network and received the copied packets that is sent between two nodes. This method overcomes the issues we might encounter with the SPAN technique when the SPAN port is overloaded with traffic.
The schema below illustrates the traffic monitoring between a switch and a router. The TAP has three ports, two of them are connected to the nodes and the third one is connected to our attacker machine with Wireshark installed to sniff the traffic. All packets exchanges between the switch and the router are replicated and sent to the attacker machine.
Monitoring on Both End
Capturing from multiple locations from the client and server side. This can allow us to better identified where the traffic flow is disrupted and where packets are lost. Monitoring from the server side gives also information on what others devices and services the server is communicating with.
Using Filter
It is recommended to be precautions when using capture filtering. Indeed, when using filtering, we take the risk to miss packets running over a specific protocol or from a specific destination/source that could give us important information.
The recommended method is to use a filter only in a very busy environment to narrow down a bit the traffic captured. Otherwise, it is recommended to capture everything and filter later using display filters.
Last updated