Mark Berry January 3, 2010
The previous post described basic setup of the Dell PowerConnect 2824 switch. One of the reasons I bought this switch is its ability to “mirror” a port. This allows a properly-configured computer to sniff all the packets going through the mirrored port. If you mirror the port that goes to your external router, you should be able to monitor all the traffic between your router and all internal computers.
Setting up the switch and the free PRTG Network Monitor was pretty easy. Setting up the computer itself (an old Windows XP Home box) took some fiddling. Here in brief are the steps.
Set Up the Switch
I connected my router to port 23 of the switch. Then, using the switch’s web interface, I went to Switch > Ports > Port Mirroring and added port 23 as a Source Port with port 24 as the Destination Port:
Now all traffic on port 23 is duplicated to port 24.
Set Up the Computer
First let me say that Dell support has been a great help here. There is a whole department that supports switches. Both technicians I spoke with were knowledgeable, immediately understood my questions, and worked to help even when the questions went beyond pure functioning of the switch.
One thing I learned is that a mirrored switch port does not pass normal traffic, so if you want the monitoring computer to be on the network (e.g. for remote management), you need to install a second NIC.
I also turned off the Windows Firewall to make sure that no traffic would be prevented from reaching the monitoring software.
Even with two NICs, after connecting one NIC to the mirrored port 24 and another NIC to a non-mirrored port, I was not able to get on the Internet from the monitoring computer, nor could I access the computer from the network. In the end, the solution was to give the NIC connected to the mirrored port a “bogus” IP address. That apparently prevents Windows XP from trying to use that NIC for network connectivity, so it routes all “normal” traffic through the NIC connected to the non-mirrored port.
Here are the network settings.
NIC on Non-Mirrored Port
NIC on Mirrored Port
On the left, note that I unchecked all roles except Internet Protocol (TCP/IP).
On the right, note that the 10.50.1.1 address is not on our local network.
I’m not sure if it matters, but under Network Connections, I chose Advanced > Advanced Settings and made sure that the NIC on the non-mirrored port has first priority:
Set Up PRTG
PRTG Network Monitor is an incredibly powerful program and I’m sure I’m only scratching the surface of its capabilities. But for what I’m trying to do (monitor traffic on the mirrored port), the main “trick” seems to be adding a Bandwidth Monitoring > Packet Sniffer (Content) sensor to the local probe:
In the sensor setup’s second page, I chose to monitor only the adapter connected to the mirrored port. I also set all Channel Selections to Detail:
Finally, I paused or deleted the default WMI Network Card sensors attached to the local NICs. (In fact, the one on the mirror-port NIC was shown in red.)
After some data has been collected, a quick way to view it is to go to the sensor and click on the Toplists tab. Here you can list top connections, protocols, and “talkers” (devices):
The other tabs show graphs and breakdowns of live data (the last two hours), the last 2 days, 30 days, etc.