Book Image

Wireshark Essentials

Book Image

Wireshark Essentials

Overview of this book

Table of Contents (15 chapters)
Wireshark Essentials
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Test Access Ports and switch port mirroring


If you're capturing from a user location and cannot or do not wish to install Wireshark on the user's machine or you're capturing at another location in the network, you have two options to obtain a copy of the packets traversing the network: Test Access Ports or switch port mirroring.

Test Access Port

A Test Access Port (TAP) is a device that copies all the packets flowing through it to one or more monitor ports. A station with Wireshark installed on it can be connected to one of the monitor ports to capture the packets.

You should select an aggregating TAP that supports the link speed of the network ports being analyzed (usually 100 Mbps or 1 Gbps) and that will copy and combine the packets flowing in both directions (transmit data from the user's workstation and receive data from the network); the aggregating TAP funnels the traffic to a single connection (transmit to the Wireshark station) so that you can capture the traffic in both directions...