Configuring Windows XP to accept port mirrored traffic

M

mbrownnyc

Weaksauce
Joined
Jul 2, 2008
Messages
108
Hello,

I'm attempting to monitor network traffic utilizing a network capture.

I would like to mirror traffic that is incoming on one port (port 14).

I have configured my switch to mirror traffic from port 14 to port 31, where a Windows XP host is attached.

It appears that the Windows network stack is dropping packets that aren't destined for it's IP address (unsure). I assume this to be the case because I can see traffic that transmitted out of port 14 (when configuring the mirroring to show this), but when I configure it to mirror received traffic, I can not see any packets.

How do I configure Windows XP to accept packets that are not destined for the IP address of the NIC?

Is there a special way to configure the NIC so that it accepts all destined traffic?


Thanks,

Matt
 
what software are you using? promiscuous mode on the ethernet adapter should show everything on the wire to the card.

wireshark is one packet capture tool that i think works well.
 
Yes, I'm utilizing promiscuous mode in Wireshark. Thanks for confirming that the problem probably exists with the switch and port mirroring.

http://forums.linksysbycisco.com/li...s&thread.id=719&view=by_date_ascending&page=2

Any experience with port mirroring on a Linksys switch?


1) I do not have a VLAN, so all ports are assigned to "Access."
2) I've uninstalled the TCP/IP stack on the NIC (as described in the thread), and now I get nothing (figuring that frames were sent to the NIC, and that promiscious mode will catch this, via WinPcap, but this isn't the case apparently?).
 
Last edited:
Hilarious: I was misassigning the target port. I was using another port (oops), glad no one was using the port.

TCP/IP enabled.
No need to assign to any specific VLAN.

Just add the source port, and the target port. The switch is auto-sensing, but just for fun I used a crossover cable (for legacy sake).

Now, I'm investigating a good WinPCap GUI for Win32. iTraffic is one, WireShark (but I don't need to do this level of inspection). Also, at the level of analysis (simply bandwidth utilization) I could even use my favorite tool, perfmon, to simply record received bytes/sec on the NIC.

[edit]
Doesn't look like perfmon likes the NIC. Not bothering... writing my own:
http://www.tamirgal.com/blog/Page/SharpPcap-tutorial-a-step-by-step-guide-to-using-SharpPcap.aspx
http://www.codeproject.com/KB/graphics/zedgraph.aspx
 
Last edited:
You must log in or register to reply here.
Back
Top