In my last blog post, I looked at How Rapid7 Customers Are Using Network Traffic Analysis in Detection and Response. However, none of these use cases are possible without a source of network traffic. If you want to monitor network traffic on your network, you will need a source of network packets. Thankfully, there are many options available, and in this post I am going to take a brief look at the five most popular.
1. SPAN or port mirroring on physical switches
A SPAN or mirror port is a passive way to get a copy of traffic from a network switch. Most managed switches will have options for setting up port or VLAN mirroring. If supported by your switch vendor, VLAN mirroring is easy and powerful. For example, this one command monitor session 1 source vlan 1 both allows you to instantly monitor all the traffic to and from the servers in your server VLAN if you use VLAN ID 1.
When configured, the switch will send a copy of the selected port or VLAN traffic to a nominated port. This is a passive method of traffic capture that does not interfere with the communication between clients and servers. If you want to read up on what options are available for your switches, there is a useful resource at this link that has a reference for the most popular vendors and switches.
The image below shows a typical setup where your network traffic analysis tool is connected to a SPAN or mirror port on a core switch. ..
Support the originator by clicking the read the rest link below.
