SG-1100 span port only sending broadcast and multicast
-
Hi all, have a brand new SG-1100 all set up with LAN going to AP/switch and OPT going to IDS for full capture. LAN interface is a member of a bridge with OPT as the SPAN port. No other configuration or packages installed except a couple port forwarding rules.
I tried multiple physical and virtual machines (Linux and Windows) with Wireshark connected and all firewalls disabled as well and on all of them and for some reason I can only see broadcast and multicast traffic coming through. Looking at the traffic graph it seem like all traffic is getting sent to opt.
Any ideas?
-
It's almost certainly being filtered by the switch. Unfortunately we don't yet have a way to enable a span port on the switch which is what would be required here.
Your only option there would be to use a USB NIC. Those are generally not recommended though. Performance can vary wildly.Steve
-
Oh no, really? That's unfortunate as I was hoping buying the SG-1100 fit perfect in what I needed, this was the last piece. I didn't want to have to add an additional switch and another hop, keep it powered on UPS, just for a span/mirror port.
-
It may be possible in some CLI script way. Let me see what I can find....
-
I owe you some beers sir!
-
Thanks again for looking into this, just checking if anything turned up?
-
Nothing yet I'm afraid. I did look into it but the available tools may not be sufficient.
I have asked upstream.
Steve
-
Really appreciate the effort, I will keep an eye out.
