Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
40

Video Description

Port Mirroring This lesson covers port mirroring. Port mirrors are also known as Switch Port Analyzers and are commonly referred to as SPAN ports. Port mirroring can be set up on switches, routers and other devices. It allows us to set up ports that have all the data mirrored to it, captures network data and allows for IDS (Intrusion Detection Systems). Port mirroring takes all data and send it to where it needs to go as well as making a copy and sending to whatever devices are on a SPAN port.

Video Transcription

00:04
lasted for our segment. We have port mirroring. So what is port mirroring? D'oh! Well,
00:09
port mirrors are also known as switch port analyzers, also known as you'll hear them referred to his span ports
00:17
switch port analyzers
00:19
now.
00:20
Switchboard analyzers span Ports are just gonna be on. Ah will be on a switch, But we can set up port mirroring not just on switches, but we can also set up Port Maring on our other devices. We could set it up on our routers or bridges in order to view data that's going across our devices.
00:38
But span port is what you'll hear when we're talking about switches.
00:41
And very often, port nearing is done on switches because switches are very good at managing data and they're very good at down from routers. They're very good at sending data and managing where it come came from and where it needs it needs to go.
00:57
So
00:58
when we're sending data on our devices other than a hub, our devices were just going to send the data to the port that they need to.
01:06
So in the case of our switches,
01:08
when we have, we've set up a switch for the first couple for the first couple seconds or switch will act like a hub and send data to everyone connected to it. But after our switch starts to make up its tables and it determines that Okay, on port number one, I have computer A port number two. I have computer be
01:27
port three. I have computer, see,
01:30
and so on
01:32
our switch is going to determine that
01:34
when computer A sends a packet to computer E,
01:38
our switch is just going to take that packet and send it directly to computer E.
01:42
The only the only packets that you're going to hear our packets that are just being sent to you and packets that are being sent broadcast to everybody.
01:53
So
01:53
this puts us at a disadvantage. If we're trying to do diagnostics on a switch, Our sorry diagnostics on our network. If for some reason we need to sit down and we need to capture the data that's going across our network and view it and analyze it,
02:07
we can't do that on a switch like we can on the hub or on a
02:12
braid Jonah router, because the data is only going to go to the the ports that they need to go to
02:20
so port nearing and for switches span ports allow us to set up ports that have all the data mirrored to it.
02:30
Now we say all the data here because all of the data can be the max data that we capture. And then we can also capture
02:38
Onley certain ports if we're trying to isolate and diagnose on Lee traffic on certain ports.
02:45
So
02:46
this captures network data and it's very useful for diagnostics research or setting up I. D. S is
02:53
Now when I b s stands for an intrusion detection system, An intrusion detection system is a device that we put on our network or a computer that we connect to a network running a program that sits there and it analyzes network. And it says what? That looks bad. I need to flag this. I need to report it
03:12
intrusion detection system. That D is very important because the D standing for detection means that that device isn't going to do anything about it other than reported.
03:23
An intrusion detection system isn't an anti virus, it isn't a malware remover. It isn't going to see bad data going across our network and say what I need to take that.
03:32
So that's why we can set up I. D. S is on mirrored ports because if it was an I. P. S an intrusion prevention system, an intrusion prevention system actually stops those attacks
03:46
that would have to actually be in between us and wherever the date is coming from.
03:52
If we're just having the data merely mirrored to us, it's just a copy of the data. We can't take that packet and say, Oh, I'm going to discard that because it's already gotten to where it needs to go.
04:01
So when I d s just sits and watches and raises warning flags, an I. P. S actually needs to be on the location, work in its taking traffic, and if there's something bad, it stops it.
04:15
So a little bit of an introduction I D. S is an I P. S is which you don't need for this particular particular module, but it's good to know.
04:21
But anyway, port nearing allows us to capture that data and have it sent to different ports. But we also need to know that devices can't talk on this port now. Why is that. Well, these devices can't talk on this port because many reports are set up just to have data sent to it at capturing it from all of our other ports.
04:41
If we start sending our If we tried to start sending data on a mirrored port
04:45
and we tried to use a mirrored port as an access port. Then when we're sending data out and then receiving responses, we don't know the difference between data that's being sent. Just tow us or data just to that mirrored port or data that's being sent to that mirror report because copies of other data
05:01
so mirrored ports are going to be set up just as capture ports.
05:05
So let's take a look at our diagram to better understand port nearing because I just blasted off a whole bunch of information that you may not even understand. So let's actually take a look at this in practice.
05:17
So we have a we have a switch here. We have our network diagram.
05:21
We have a switch and we have a router
05:25
we have on our network diagram seven computers and a router
05:30
on ports one through seven.
05:33
Now, one of our computers is blue because that computers set up on a mirrored port
05:39
on a span port on our switch.
05:41
So we're not gonna label this computer with a letter. We're just gonna label this computer with an M for our for our mirrored computer. Actually,
05:51
we'll change that.
05:54
Our port Port seven is going to be
05:57
seven em for our mirrored port. And this computer is going to be computer W for wire shark. We're gonna have wire shock running on this computer.
06:05
So sorry for the little bit of confusion there.
06:08
So
06:10
all of these computers are set up
06:13
on a standard port on a standard switch to be able to talk to each other and be able to talk out to the Internet through a router.
06:18
They're all set up on ports one through six in our routers set up on port eight.
06:26
So we have a couple of different computers over here. We have computer ease, a server, the rest of our computers or workstations, and we ran. And we're running into some problems where we're having some data going on, having data traversing our network. That's causing some problems. Maybe this is malicious data. Maybe we just want to capture and see if we can
06:45
check and see why our network is so slow.
06:46
There's some reason where we need to do some diagnostics on our switch,
06:50
so we set up Port 7 a.m. as a mirrored port.
06:54
Now, when we go into our switch configuration will be asked for a sore sport and a destination port.
07:00
We need to know what the source for this mirrored port is going to be.
07:04
So we say Okay, I only want to see the data that's going over Port number five because Port number five's connected to my server,
07:14
So I only want to see the data that's going to Port number five. So we'll go and are. We'll go on our switch configuration and will say Under are under our mirror are span port settings or mirror our port mirroring settings depending on what our outer configuration looks like and say, I want source port to be five,
07:31
and I wanted to send to Port seven.
07:34
So now 0.7 is a mirrored port.
07:39
We're running wire shock on this computer, and this computer can't connect to the Internet because it's on Lee connected to a mirrored port so it's only going to be receiving data
07:46
receiving mirrored copies of that data from Port five.
07:51
So we have all of our configuration set up. Our source port is Port five that our service connected to and our destination port is port seven.
08:01
So let's take a look inside a router now
08:03
and remove some of our route and remove our router symbols.
08:09
So we have our little router control chip here that's going to direct traffic, direct data where it needs to go.
08:16
And our server is going to send a packet
08:20
to go to computer, See?
08:22
So it's going to send its going to send the data to its port,
08:26
and then our switch brain is going to say, OK, I need to send this packet to computer, see, because that's where its destination is.
08:35
But I have a rule here that says I need to mirror all this data also over to port seven, where my mirrored port is.
08:43
So I'm going to send this packet onto Port three.
08:48
But I'm also going to send
08:50
a copy of the data, the packet that I'm sending over to port seven
08:54
so that my device on Port seven can read it.
09:00
Same thing if I have Port three talking to Port five.
09:03
Any data that's being sent from or to Port five will also be copied to port seven.
09:09
Now, let's say I need to find all my network traffic. I need to determine what all my computers were saying. Well, then all right, rules in my switch that say port 6 45 Port for port three. Port 2.1 in port eight. I want all that data
09:26
to be copied over to my workstation. Here, to my wire Shark capture again. What does this do for us? Why don't we want all of these these copies of data in our switch to be sent over to this workstation here?
09:41
Well, again, this workstation could be running wire shark. It could be looking at these packets and look, and we can search through it manually and see if there's any irregularities. It could be running an I. D. S. It could be running an intrusion detection system where checks all of our packets and sees. Okay. Is any of this data
09:58
malicious? Is any of this data bad? Should I raise any alarms?
10:01
So
10:03
port nearing is very useful for these diagnostics and for doing this read in doing our research.
10:09
So port nearing also known a span ports take all of our data
10:15
and they send it to where it needs to go.
10:18
But they also make a copy of the data and they send it to our SPAN port. They send it to whatever devices connected to our span port, and this all has to be configured it within our switch.
10:31
Now,
10:31
just because we're setting up a span port doesn't mean that our network is going to slow down our If we have a lot of traffic going to our span port, they only limitation. The only downside that will really see in network traffic is our span. Port may drop some packets.
10:48
If it's having too much data, push to it. So if our switches making copies of all the data from one through six and then port eight and sending it to span port number seven and our span port says I can't handle this data and just drop some of the packets,
11:05
then the only thing that will be affected is our capture going on on our workstation.
11:09
Because this data is just copies of data.
11:13
None of our other data packets going anywhere else. They're going to have any problems.
11:18
So,
11:20
um,
11:20
than our last thing for Spam Port. Let's say that this idea yes. This intrusion detection system
11:26
that we put on Spann Port put on sports seven are mirrored, mirrored port span port.
11:33
We need this data to be able to be sent out to the Internet are sent over the Internet, Tow us, or we need this day to be to be able to send to our workstation. Our admin work station is workstation A,
11:46
which I wrote again.
11:46
But
11:48
what what can we do? We can't send data back over this mirrored port. This mirrored port is received on Lee.
11:58
Well,
11:58
what we're going to do is we're going to have
12:01
to network interface cards in this device. Here.
12:05
One network interface card is going to be for capturing, and the other network interface card is going to be used for actual network activity.
12:16
So we need a second network interface card in our computer,
12:20
plug in a second Internet cable to our computer and plug that into a different port. So we have port nine
12:28
and that port we may also we may even want to set up Port nine also sins copies of its data to port seven.
12:37
But now our computer, our wire shark workstation or our I. D. S. Whichever we have set up here, not only receives all of the copies of data that's being sent around our switch but is also sending sending out informational packets or sending out alerts are able to connect to the Internet
12:56
over except second network interface card
12:58
over port nine.
13:01
So if you've never set up a mirrored port, never set up a span port before and you have the you have the resource is too, and you have the chance to. It's a great way. Just thio set up a span port and be able to again with permission. And if you're using the right resource is you don't want to disrupt your network activities. Just tow
13:20
just to play around. Essentially,
13:22
this will give you, and this will let you see the traffic going over your network. You'll be able to look at all the traffic and say, Wow, you know, I recognize this packet are recognized this port number or this protocol and check out all that different data that's going on on your network and see if you can identify anything.
13:41
So thank you for joining us here today on cyber dot i t. Today we talked about routing and switching. We talked about everything from all of our different switching devices, like our bridges or switches or hubs are repeaters and all of the different concepts. And, well, not all of the different concepts, but a lot of the different concepts related to routing and a lot of the different routing properties
14:01
protocols,
14:01
how they've set up their dynamic routing tables and, essentially, how our routers talk to each other and find the best routes and the best pass to other networks.
14:11
So hopefully this information is helpful, and hopefully this information will help you in your journey to be able to better work on your networks and better diagnosis your networks and know how networking works. And we have to see you again here next time on separate at I t

Up Next

CompTIA Network+

This free CompTIA Network+ training and certification course provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor