Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

Port Mirroring This lesson covers port mirroring, which is also known as a Switch Port Analyzer (SPAN) port. Port mirroring allows devices to see copies of the data that's going through a switch. It is able to capture and analyze packets and set up devices to capture data. SPAN ports are useful in that we can take data and figure out the type; i.e. and HTTP packet or perhaps a malicious packet.

Video Transcription

00:04
So with all the traffic that we have going on with our switches on our routers, how do we monitor at all now with a hub, all that we would have to done is plug in a single device into any port on the hub, and our device would receive all the packets that are going on that hub. It all,
00:20
but with the development of switches that managed traffic better, that a sign ports to Mac addresses and routers that manage traffic better.
00:30
The only port, the only traffic that we're really seeing on when we're plugged into a switch on a standard port, is data that a is directed directly towards us or be broadcast packets now for a network engineer. Or we are a systems administrator, and we need to look at
00:47
all of the data because we're trying to track down some issues were trying to view our network and see what's going on.
00:53
Then we mean we may need to set up something called a port nearing or a also known as a span port on switches.
01:00
Now what port nearing does is it allows our devices to see a copy of data that's coming on that's going through our switch.
01:11
So we have our switch here that will draw a very big our switch Will say is connected to eyes connected to three devices. It's a moment we have multiple. We have multiple ports, but our switches connected to three main devices are actually four devices because we're connected to were connected over here to a router as well.
01:30
So our switches connected to four main devices
01:34
a client computer, a server, a router and then our
01:40
special device, which we'll talk about in a second what this device is going to be.
01:45
Now
01:47
all of these devices are connected to ports on our switch.
01:51
But this device needs to be able to capture all of the packets that all of these other devices are sending.
01:57
So we want to specify that
02:00
the port that this device is connected into receives port mirrored packets. This is gonna be a span port
02:07
now span port
02:08
stands for a switch port analyzer,
02:13
and it performs the same. It does the same thing that port mirroring does, but we're referring to the actual switch the sport switch itself. We would say this is a span port. It's a switch port analyzer port
02:27
so we would go into our switch configuration
02:30
and what we would do is we would go into our networking settings and we go into our port mirroring settings. And we would say that we want tohave. We have our port number one Port number two, Port number three in port number four. So we would say, We want all of our We want our source port in our port nearing to be port one
02:50
and destination is port three.
02:53
We also have sore sport to destination Port three and Sore Sport four. Destination Port three.
03:04
So what this is telling our switch is that any data
03:07
that goes across Port four,
03:10
Port one or port to
03:14
goes to the location weren't supposed to go to,
03:16
but a copy is also sent. Let's say Port Four is trying to talk to port to our servers, trying to talk to the router.
03:25
A copy of whatever data is being sent
03:29
is also sent over to Port three.
03:32
That's why it's called our port mirroring because we're sort of it's a
03:38
It's not really a mirror image of the data that's being sent. It isn't backwards. We are gonna wire shark capture and see all of our binary bits going across backwards. But it's a reflection of what's going on inside of our network
03:52
and the same with port one talking to port to report one pocket talking to port four or any other communications that are going on because we have our table set up as such.
04:01
Now we could set up our table so that we only captured data going across port four or Onley capture data going across port too. But we're going to say for this example, we want to capture the data going across any port and send a copy of that data to port three.
04:17
So why is this port useful? Wire span ports useful.
04:21
Well,
04:23
our device that we place on Port three
04:27
can capture and analyze those packets so we can use that data that we're receiving on our span port and we can take a look at it and say, Oh, this packet is a an http packet or this packet is a malicious packet that's trying to trying to perform a
04:44
Christmas tree was trying to perform a special attack on my my server. So I need Thio, understand? We need to understand what are different packets mean and understand our different protocols in order to understand why we want to capture those packets and why we want to view them
05:03
now.
05:04
Our special device here we haven't listed yet because we're gonna talk about it now
05:09
is an idea. Yes.
05:11
We're going to say this isn't an I. D S
05:14
and I. D s idea stands for intrusion detection system.
05:18
Now the key word there is the detection the D,
05:24
because detection
05:27
means just that
05:29
it's going to receive these packets and wanted to raise an alarm. If it sees anything suspicious,
05:34
it's only going to detect issues. It's sort of like putting. It's sort of like when you have stores that have fire exit doors that have little alarms on them. If you open that fire exit door and walk out, the only thing that's gonna happen is an alarm's gonna go off. Or stores that have metal metal detectors or
05:55
security bet tag detectors that go off if you don't pay for items and they still have the security tag on them
06:00
all. That is really just an idea. Yes, it's We're gonna walk out and it's gonna sound really loud, and it's going to raise an alarm. But it's not doing anything that that metal detector isn't gonna fall over on us. And then and then smack the item out of our hands or whatever. That's an I P s. Now on I ps is our security guard.
06:18
R I p s
06:19
would be a guy. That would be our security. Our security personnel That would actually that may. Here are you may hear our alarm or may notice that you're walking around kind of suspicious. That may notice that it seems like you're brushing up sideways against some shelves and trying to block the view of security cameras, and they actually come up to you and they confront you and they say, Hey, what you doing?
06:40
That's r I P s. That's actually gonna do something.
06:43
Now, our i p s won't really do anything on a span port.
06:46
If we set up an I P s here, it's not gonna be able to function correctly because devices on the mirrored port can't talk out over that same mirrored port.
06:56
An I. P. S on a mirrored port is receiving data That's already been sent.
07:01
Um, and I remember it's just a copy of that data. So if an I P. S says
07:08
only this is a bad packet, I'm gonna grab it and make sure it doesn't keep going. Well, it's only grabbing the copy of that data.
07:15
It would be like a security guard that they only review all of the security footage at night. After things have happened, they can't be viewing the security footage and then say, Oh, that person stealing something and then run out run out into the store because that happened five hours ago.
07:30
And I d s, though, would just be the review. The person who reviews the date and says, Oh, this was this was bad. We should take a look at the server and make sure it isn't infected now.
07:40
So our I P s would be better suited for, say, in between our router and our switch
07:47
as a device that actually the data is funneled through. That would be an I. P s. But if, for example, if we have a network plus
07:57
test question that says that of it asks us, Okay, we have set up a we've set up a span port on our switch. What would be
08:07
what would be a the best device? The best security device to set upon this switch. It would add It may ask us if we're going to set up an I. D. S and I p s Ah, firewall or a server on this mirrored port.
08:22
Well, an I p s isn't gonna do anything on a mirror report. It's not gonna provide its functionality on a mirrored port because they can't do anything
08:30
over that span. Port A firewall.
08:33
It stops traffic flow, it takes packets and it blocks them. So firewall, it isn't gonna do anything on a span port. A server isn't gonna do anything on a span port. It's sort of are the sort of are bogus question that they just are filler question to make sure that you're awake when you're taking the test, and then we have our ideas.
08:50
Now I d s would be our best answer. Their i. D s would be the best
08:54
A device to put on our span port because going to raise the alarm is gonna check the traffic for us.
09:01
And then just remember our point that device is on a mirrored port. Can't talk. So if we have an administrative laptop or administrative computer that we set up and connect to a span port, we can't connect to that span port and just let traffic capture while we're talking out over the Internet
09:18
because we can't talk back out over that span Port.
09:22
What we can d'oh
09:24
is say this particular ideas sins. A report to a company that checks all of our I. D. S logs for us say we don't really have an on site security staff that can interpret these logs and look for look for errors.
09:39
So all of the I. D s alerts are sent over the Internet to an additional company.
09:43
Well, what will have to do then, is set up a second network interface card on our I. D. S and connect that network interface card into a non span port.
09:56
And then that non span port will connect out to our router and connect to the Internet.
10:01
So
10:03
that's what our port nearing does. It allows us to mirror copies of data from different ports to one particular port. It's great for capturing packets and analyzing data and allows us to set up on I. D s on that particular port
10:18
on. We can also just set up other devices on that particular port if we have to Network interface cards and our administrative computer one, maybe out to a standard port and the other at Network Interface Card may have a cable that's connect to our span port, and then our device will run a protocol analyzer or profit packet sniffer,
10:37
such as the Amazing Wire shark, a very powerful protocol analyzer
10:41
that allows us to view those packets and allow us to dissect them a little bit and check out and see what's going on on our network.
10:48
So if you've never set up port mirroring, if you've never set up a span port and you have, ah, manage switch that you can practice on, it's a great tool to just set up and used to take a look at all the packets going across your network. It's a great test test practise tool because you can set it up, let wire shark, run
11:07
and Vince and then just
11:09
take packets and then use them thio, use them and member and check out port numbers and say, Oh, hey, I know what http is. I know it Pop. Three is I know what I'm app is And just identify these different protocols and see how a network flows and just see how a network is really almost a living, breathing thing on
11:28
passing information and
11:31
passing information around our little mini, interconnected super information superhighway. So keep that in mind. Set up those span ports, set up that port mirroring, and you'll have a better handle and a better idea of what's going on on your network.
11:46
So thank you for joining us here today on cyber dot i t. Today we talked about some different configurations for setting up our routers and switches. We talked about everything from span ports and port mirroring over to how our routing tables work. And we talked about additional configurations that are different devices may have,
12:05
such as traffic filtering or Mac filters.
12:07
So hopefully this information will allow you to have a better idea of how to set up and configure your different switches and routers on your network. And hopefully you'll be able to use some of these settings and use these configurations to bet it better manage your network and better have a better handle on the data flowing throughout your devices. So thank you again.
12:26
And we hope to see you here next time on cyber. Dad, I t

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor