How to Use Port Mirror to Capture Packets in the Controller
Mirroring allows for the duplication of Ethernet packets from a selected source port to a designated destination port, without disrupting regular network traffic from devices like switches and routers. Packet capture analysis is a valuable tool in troubleshooting various network issues. For instance, it can help diagnose problems such as a router's inability to acquire an IP address from the ISP, or when a client is unable to obtain an IP address or encounters other network-related difficulties.
In practical troubleshooting scenarios, when it's not possible to directly observe certain ports, we often utilize a combination of port mirroring and packet capture to analyze the issue. Take the following topology as an example, we will learn how to configure port mirroring in Omada routers or switches operating in controller mode.
Equipment
-
1 x PC (Controller)
-
1 x Router (ER7206)
-
1 x Switch (TL-SG2210MP)
-
1 x EAP (EAP610)
Configuration Steps
Before we dive into the configuration guide, let's take a moment to introduce Wireshark, the tool we'll be using to capture packets. Wireshark is a fantastic free and open-source packet analyzer. It serves multiple purposes, including network troubleshooting, analysis, software and communications protocol development, as well as education. You can easily get Wireshark from their official website at https://www.wireshark.org.
1. Port Mirror: Router
Applicable models: ER605 v2, ER7206 (Requires router gateway firmware released after Controller 5.6)
Mike set up a client-to-site L2TP VPN on the Controller. However, after completing the configuration, he discovered that the VPN connection was not working properly. To troubleshoot the issue, we need to identify the specific step in the L2TP negotiation process where the problem occurs. To do this, we require the router's ingress and egress flow information in order to capture the relevant packets using port mirroring.
1) Go to the Devices, and click on the row where the router is located to load the Properties window. And then click the Ports.
2) Select the port LAN1 (port 4) on which the PC (Controller) is connected to the router. Then click the button of Edit.
3) Configure the basic parameters for the port mirror:
- Enable the Mirroring.
- Specify the selected port as port1 (WAN port).
- Specify the Mirror Mode as Ingress and Egress.
- Finally click on Apply.
4) After successfully applying Port Mirroring, you will notice a small eye-shaped icon next to LAN1.
5) Test verification:
Typically, when a PC is connected behind the LAN, it is unable to capture data packets with source or destination addresses that match the IP address of the WAN port. However, if we observe the IP address of the WAN port in the data packet, it confirms the successful configuration of our port mirroring.
Mike utilized port mirroring to capture the message displayed below. Within the captured message, the IP address 192.168.1.104 pertains to the L2TP client. Analyzing the message reveals an issue during the initial phase of the ISAKMP negotiation. (The command 'ip.addr == xx' is commonly employed to filter packets associated with specific IP addresses.)
After investigation, Mike discovered that an incorrect password had been entered on the L2TP client. This was subsequently rectified, resulting in the successful completion of the negotiation process, as depicted in the figure below.
2. Port Mirror: Switch
Applicable models: Smart and Managed switches (Both TL-SG-2 series and TL-SG-3 series switches support)
Jack's phone can connect to the EAP's wireless network, but it is unable to receive an IP address from the router. Upon investigation, it has been discovered that the EAP is unable to obtain the IP address. Since the EAP directly forwards the DHCP packets to the router, the monitoring PC cannot capture packets by default. Therefore, we need to enable the capturing of the Ingress and Egress flow of Port1 through port mirroring.
1) Go to the Devices, and click on the row where the switch is located to load the Properties window. And then click the Ports.
2) Select the Port4 which the PC is connected to the switch. And then click the button of Edit.
3) Configure the basic parameters for the port mirror:
- Enable the Profile Overrides.
- Specify the Operation as Mirroring.
- Specify the selected port as port1 which connected to the router (DHCP Server).
- Finally click on Apply.
4) After successfully applying Port Mirroring, you will notice a small eye-shaped icon at Port4.
5) Test verification:
Normally, a PC can only capture the ingress and egress traffic of the corresponding switch port. However, if the packet capture data includes the data passing through other ports, such as the data from the wireless client to the external network or gateway, it indicates that the port mirroring function of the switch has been successfully configured.
Jack successfully captured the following packets using the aforementioned switch port mirroring setup. It was observed that EAP only sends DHCP Discover packets but does not receive other packets, such as DHCP Offer. This indicates that the router is not assigning an IP address to EAP. (The top bar command 'dhcp' is often used to filter packets related to the Dynamic Host Configuration Protocol.)
Jack took a thorough look and discovered that he had inadvertently disabled the DHCP service for EAP. Once he made the necessary configuration changes, the DHCP process below was successfully obtained.