Port mirroring or port spanning is a technique by which you can get a copy of packets from one or more switch ports sent to a network analyzer. Port spanning has become the most common mechanism to capture packets since the death of the ethernet hub.
The following picture shows packets from ports 1,2,3 being spanned to port 6. We have attached Unsniff Network Analyzer to port 6.
Duplicate packets
You can span packets into or out of a switch port. However, typically you want a copy of both. The problem is when both the ingress and egress ports are spanned, this may result in duplicate packets being seen by the network analyzer. The timestamps are different but the packet contents are the same. See here and here for more details of why this happens.
Note : You may even see more than two copies when switching broadcast, multicast, or frames with unknown unicast addreses.
Using Unsniff to eliminate duplicate packets
It goes without saying that these duplicates are a major headache. Unsniff has excellent support for culling duplicate packets. Unsniff can not only ignore duplicates but also triplicates or more.
Here is how you use the feature.
- Select “Tools->Customize->Advanced“
- Scroll down to the “Advanced Capture” section
- Set the “Filter duplicate frames” to “True” as shown below
- Duplicate filter mode : Controls how far back in time Unsniff checks for a duplicate. It also controls whether the headers (IP/Ethernet/etc) are used or whether a full packet is used to detect a duplicate. For most cases use “Normal”, for lightly loaded switches use “Quick”, use “Deep” for best results but it will slow down Unsniff.
Now you can start capturing packets from SPAN ports, duplicates are automatically culled and life is good again !
[tags] Cisco, Port SPAN, Unsniff, duplicate packets, network analyzer, sniffer [/tags]
