TamoSoft: Network Analysis Tools & Security Software

Promiscuous Monitoring in Ethernet and Wi-Fi Networks

Monitoring Using Switches

A managed switch that supports port mirroring, a feature that allows you to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch, is an ideal device for network monitoring purposes. The way port mirroring is configured depends on the specific model and vendor (there are dozens of different models that have this functionality, ranging in price from $100 to a few thousand dollars.)

Two typical network layouts using port mirroring are shown below.

Layout 1


In this layout the primary switch supports port mirroring. A monitoring computer is connected to the mirror port, to which all traffic between the local workstations and the router is replicated. The switch can be configured to replicate data from one or several ports, depending on your purposes.

Layout 2

If your LAN segment is built on unmanaged switches that don't support port mirroring, you can add a managed switch to your network. By routing the Internet traffic via the switch that supports port mirroring, you make it possible to connect the monitoring computer to the mirror port and be able to capture traffic that goes from the local workstations to the router and back. However, this layout doesn't let you monitor the traffic between the local workstation, as it is routed via the unmanaged switches and doesn't reach the monitoring switch.

As a side note, we should mention that some switches that don't support port mirroring could be exploited for promiscuous mode monitoring. Network attacks, like "ARP Flood" or "ARP Spoofing", may be mounted against the network and cause a switch to send packets to all ports. These are, by no means, recommended monitoring methods.