SG-1100 span port only sending broadcast and multicast

thisguy

Hi all, have a brand new SG-1100 all set up with LAN going to AP/switch and OPT going to IDS for full capture. LAN interface is a member of a bridge with OPT as the SPAN port. No other configuration or packages installed except a couple port forwarding rules.

I tried multiple physical and virtual machines (Linux and Windows) with Wireshark connected and all firewalls disabled as well and on all of them and for some reason I can only see broadcast and multicast traffic coming through. Looking at the traffic graph it seem like all traffic is getting sent to opt.

Any ideas?

stephenw10

It's almost certainly being filtered by the switch. Unfortunately we don't yet have a way to enable a span port on the switch which is what would be required here.
Your only option there would be to use a USB NIC. Those are generally not recommended though. Performance can vary wildly.

Steve

thisguy

Oh no, really? That's unfortunate as I was hoping buying the SG-1100 fit perfect in what I needed, this was the last piece. I didn't want to have to add an additional switch and another hop, keep it powered on UPS, just for a span/mirror port.

stephenw10

It may be possible in some CLI script way. Let me see what I can find....

thisguy

I owe you some beers sir!

thisguy

Thanks again for looking into this, just checking if anything turned up?

stephenw10

Nothing yet I'm afraid. I did look into it but the available tools may not be sufficient.

I have asked upstream.

Steve

thisguy

Really appreciate the effort, I will keep an eye out.

zombat

@stephenw10 said in SG-1100 span port only sending broadcast and multicast:

Nothing yet I'm afraid. I did look into it but the available tools may not be sufficient.
I have asked upstream.
Steve

Hi, any luck with the span port? I am looking at the same setup as well.

Thanks

stephenw10

Not directly in the switch. I believe the switch hardware can do it but poking the correct registers in the switch to make it do it proved difficult.
I was hoping to be able to use etherswitchcfg directly since it has direct register capability but it seems only a limited subset are accessible.

Steve

zombat

@stephenw10 Thanks Steve.