TP-Link Switch as Network Tap

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TP-Link Switch as Network Tap

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TP-Link Switch as Network Tap
TP-Link Switch as Network Tap
2022-04-28 20:00:45
Model: TL-SG105E  
Hardware Version: V5
Firmware Version:

I have a question similar to this post from 2020:

https://community.tp-link.com/en/business/forum/topic/185164

 

I want to capture the traffic between my router and ISP modem by connecting the modem to port 1, the router to port 2, and my PC to port 5 where Wireshark is capturing the specific packets I want to observe. Miroring is simple.

What is not simple is preventing packets from my PC from going out ports 1 and 2.

 

The post from 2020 suggested creating an 802.1Q VLAN (10) for the mirror port, and......  "Check if can isolate the mirror port."  and the discussion ends. 

 

I don't mind spending $25 on Amazon to get an SG-105E, but would be rather annoyed if after doing so, it won't work.

 

Although the link between modem and router is gigabit, the actual internet capacity is only 200mbs, so the concern about being able to handle 1000m/Full does not seem to a factor.

 

Was hoping someone can advise if this will work... and specifically how to set it up.

 

Thanks

 

  0      
  0      
#1
Options
4 Reply
Re:TP-Link Switch as Network Tap
2022-04-29 09:25:17

  @UnWired 

 

It seems to me that what you need is very difficult to achieve, and with VLANs done, port mirroring may not work.
Isn't your router a tplink one?

Their routers do support port mirroring directly on the router, much easier.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:TP-Link Switch as Network Tap
2022-04-29 15:16:27

  @Virgo 

Thanks for taking the time to respond.  Alas, I do not have a TP-Link router.  My Netgear router has an option "WAN Port Mirror to LAN Port 1", but that was not successful.

 

Guess I'm screwed.

  0  
  0  
#3
Options
Re:TP-Link Switch as Network Tap
2022-04-30 20:50:03

Amazon delivered the TP-Link SG105E.  (I have spent more than $25 on a bottle of wine, so if this doesn't work I am not "out that much".)

The plan is:

Port 1 - VLAN 1 - ISP modem

Port 2 - VLAN1 -  Customer router

Port 3 -

Port 4 -

Port 5 - VLAN2 - Cable to Wireshark

 

Ethernet on Wireshark with Static IP of 192.168.0.2 (default subnet for TP-Link SG105E), subnet mask 255.255.255.0, no gateway.

 

Mirror Port 1 Ingress & Egress to Port 5.

 

Based on the previous discussion, the experiment will discover which takes precedence:

  • Port mirroring is a hardware level activity, independent of port settings, so packets will appear on Port 5.
  • VLAN configuration takes precedence, so nothing will appear on Port 5 because Port 5 is in a different VLAN.
    (Which implies that Port Mirroring can take place only within ports that are in the same VLAN.)

 

Would be helpful if someone knows about this and can provide guidance.  But....

 

Now to wait until I have the house to myself and see if this kills my network.

 

 

  0  
  0  
#4
Options
Re:TP-Link Switch as Network Tap
2022-04-30 23:12:55 - last edited 2022-04-30 23:30:01

While waiting to have the house to myself, I decided to experiment with an existing SG108E switch which is used to connect a bunch of devices to the router.

Discovered this comment on page 22 of the user manual:

 

"The port mirror function can take effect the multiple VLANs". This appears to indicate that this should work.

 

Tap connects to port 1, which is VLAN 2.

Port 2 connects to the router and remains in VLAN1 (default).

Ports 3-8 connect to various devices (printers, PCs, PowerLine adapter, Raspberry Pis.

 

Mirror Port 2 to Port 1.

 

What I expected was to capture all packets that go in and out of Port 2 (Ingress and Egress).  But, this is not what happened.

 

  • If a PC on port 5 pings someplace on the internet, Wireshark captures the outgoing ICMP packets, but does not capture the returns.
  • When a PC on the regular network pings devices on the TP switch, none of the incoming ICMP packets are captured, but the echo packets from one device are captured (and another device not captured).

 

Very puzzled.

 

Any suggestions?

  0  
  0  
#5
Options