Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).
In our particular case, the faculty provided us with a Cisco Catalyst 2960 switch. We have configured this switch to mirror all internet-bound data traffic traversing the interface connected to network gateway, to the interface connected to Moloch server. As a result, we can now monitor all inbound and outbound lab traffic.
Switch(config)#monitor session 1 source fa0/1 both
– This command specifies source interface as fa 0/1. The parameter “both” specifies both directions to be monitored.
Switch(config)#monitor session 1 destination interface fa0/24
– This command defines the destination interface of mirrored traffic
- CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch