- Definition:
- Port mirroring (SPAN - Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.
- Purpose:
- Allows passive monitoring of network traffic without impacting network operations or device performance.
- Avoiding Disruption:
- Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.
Port Mirroring (SPAN)
📝 Overview
What it is: A network switch feature that copies traffic from one or more ports (or VLANs) and sends it to a designated monitor port for analysis. Target Phase: passive / Enumeration Environment: Physical Networks, Virtual Switches (vSwitches in VMware/Hyper-V)
⚙️ Core Capabilities
- Stealth: Allows for 100% passive network reconnaissance. The target devices have no idea they are being observed.
- Data Capture: Essential for catching cleartext credentials or analyzing proprietary protocols (like Modbus in ICS/SCADA).
- IDS/IPS Feeds: This is the exact same technology used to feed traffic to a blue team’s Intrusion Detection System.
💻 Common Commands (#clitool)
To capture the mirrored traffic once plugged in:
| Command | Description |
|---|---|
tcpdump -i eth0 -w capture.pcap | Captures all mirrored traffic on interface eth0 and saves it to a file. |
tcpdump -i eth0 port 80 -w http.pcap | Only captures unencrypted web traffic from the mirrored port. |
🏷️ Tags
passive Enumeration NetworkSecurity PortMirroring SPAN tcpdump linux clitool PenTestPlus