SPAN (Switch Port Analyzer)

SPAN (Switch Port Analyzer)

What is SPAN and why is it needed?

On any hub and spoke topology, the switch has important relationship with spokes.The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.

For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B:

On a switch, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer does not see this traffic:

In this configuration, the sniffer only captures traffic that is flooded to all ports, such as:

Broadcast traffic
Multicast traffic with CGMP or Internet Group Management Protocol (IGMP) snooping disabled
Unknown unicast traffic

Unicast flooding occurs when the switch does not have the destination MAC in its content-addressable memory (CAM) table. The switch does not know where to send the traffic. The switch floods the packets to all the ports in the destination VLAN.

An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port:

In this diagram, the sniffer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a SPAN port. The other sections of this document describe how you can tune this feature very precisely in order to do more than just monitor a port.


SPAN Terminology

• Ingress traffic-Traffic that enters the switch.
• Egress traffic-Traffic that leaves the switch.
• Source (SPAN) port -A port that is monitored with use of the SPAN feature.
• Source (SPAN) VLAN -A VLAN whose traffic is monitored with use of the SPAN feature.
• Destination (SPAN) port -A port that monitors source ports, usually where a network analyzer is connected.
• Reflector Port -A port that copies packets onto an RSPAN VLAN.
• Monitor port-A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.

• Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines.

• Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy.

• Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port.

• VLAN-based SPAN (VSPAN)-On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.

• ESPAN-This means enhanced SPAN version. This term has been used several times during the evolution of the SPAN in order to name additional features. Therefore, the term is not very clear. Use of this term is avoided in this document.
• Administrative source-A list of source ports or VLANs that have been configured to be monitored.

• Operational source-A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.

Characteristics of Source VLAN

VSPAN is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.

VSPAN has these characteristics:

• All active ports in the source VLAN are included as source ports and can be monitored in either or both directions.
• On a given port, only traffic on the monitored VLAN is sent to the destination port.
• If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.
• If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by those ports is added to or removed from the sources that are monitored.
• You cannot use filter VLANs in the same session with VLAN sources.
• You can monitor only Ethernet VLANs.

Characteristics of Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.

A destination port has these characteristics:

• A destination port must reside on the same switch as the source port (for a local SPAN session).
• A destination port can be any Ethernet physical port.
• A destination port can participate in only one SPAN session at a time. A destination port in one SPAN session cannot be a destination port for a second SPAN session.
• A destination port cannot be a source port.
• A destination port cannot be an EtherChannel group.
• A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
• The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port.
• The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.
• If ingress traffic forwarding is enabled for a network security device. The destination port forwards traffic at Layer 2.
• A destination port does not participate in spanning tree while the SPAN session is active.
• When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.
• A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

Characteristics of Reflector Port

The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.

The reflector port has these characteristics:

• It is a port set to loopback.
• It cannot be an EtherChannel group, it does not trunk, and it cannot do protocol filtering.
• It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port.
• A port used as a reflector port cannot be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time.
• It is invisible to all VLANs.
• The native VLAN for looped-back traffic on a reflector port is the RSPAN VLAN.
• The reflector port loops back untagged traffic to the switch. The traffic is then placed on the RSPAN VLAN and flooded to any trunk ports that carry the RSPAN VLAN.
• Spanning tree is automatically disabled on a reflector port.
• A reflector port receives copies of sent and received traffic for all monitored source ports.

Cloud Computing

What is the cloud? Where is the cloud? Are we in the cloud now? These are all questions you've probably heard or even asked yourself. The term "cloud computing" is everywhere.

In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. The cloud is just a metaphor for the Internet. It goes back to the days of flowcharts and presentations that would represent the gigantic server-farm infrastructure of the Internet as nothing but a puffy, white cumulus cloud, accepting connections and doling out information as it floats.

What cloud computing is not about is your hard drive. When you store data on or run programs from the hard drive, that's called local storage and computing. Everything you need is physically close to you, which means accessing your data is fast and easy, for that one computer, or others on the local network. Working off your hard drive is how the computer industry functioned for decades; some would argue it's still superior to cloud computing, for reasons I'll explain shortly.

The cloud is also not about having a dedicated network attached storage (NAS) hardware or server in residence. Storing data on a home or office network does not count as utilizing the cloud. (However, some NAS will let you remotely access things over the Internet, and there's at least one brand from Western Digital named "My Cloud,"just to keep things confusing.)

For it to be considered "cloud computing," you need to access your data or your programs over the Internet, or at the very least, have that data synced with other information over the Web. In a big business, you may know all there is to know about what's on the other side of the connection; as an individual user, you may never have any idea what kind of massive data processing is happening on the other end. The end result is the same: with an online connection, cloud computing can be done anywhere, anytime.

Consumer vs. Business

Let's be clear here. We're talking about cloud computing as it impacts individual consumers—those of us who sit back at home or in small-to-medium offices and use the Internet on a regular basis.

There is an entirely different "cloud" when it comes to business. Some businesses choose to implement Software-as-a-Service , where the business subscribes to an application it accesses over the Internet. There's also Platform-as-a-Service , where a business can create its own custom applications for use by all in the company. And don't forget the mighty Infrastructure-as-a-Service , where players like Amazon, Microsoft, Google, and Rackspace provide a backbone that can be "rented out" by other companies. (For example, Netflix provides services to you because it's a customer of the cloud services at Amazon.)

Of course, cloud computing is big business: The market generated $100 billion a year in 2012, which could be $127 billion by 2017 and $500 billion by 2020.

Common Cloud Examples

The lines between local computing and cloud computing sometimes get very, very blurry. That's because the cloud is part of almost everything on our computers these days. You can easily have a local piece of software (for instance, Microsoft Office 365) that utilizes a form of cloud computing for storage .

That said, Microsoft also offers a set of Web-based apps, Office Online, that are Internet-only versions of Word, Excel, PowerPoint, and OneNote accessed via your Web browser without installing anything. That makes them a version of cloud computing (Web-based=cloud).

Some other major examples of cloud computing you're probably using:

Google Drive: This is a pure cloud computing service, with all the storage found online so it can work with the cloud apps: Google Docs, Google Sheets, and Google Slides. Drive is also available on more than just desktop computers; you can use it on tablets like the iPad or on smartphones, and there are separate apps for Docs and Sheets, as well. In fact, most of Google's services could be considered cloud computing: Gmail, Google Calendar, Google Maps, and so on.

Apple iCloud: Apple's cloud service is primarily used for online storage, backup, and synchronization of your mail, contacts, calendar, and more. All the data you need is available to you on your iOS, Mac OS, or Windows device (Windows users have to install the iCloud control panel). Naturally, Apple won't be outdone by rivals: it offers cloud-based versions of its word processor (Pages), spreadsheet (Numbers), and presentations (Keynote) for use by any iCloud subscriber. iCloud is also the place iPhone users go to utilize the Find My iPhone feature that's all important when the handset goes missing.

Amazon Cloud Drive: Storage at the big retailer is mainly for music, preferably MP3s that you purchase from Amazon, and images—if you have Amazon Prime, you get unlimited image storage. Amazon Cloud Drive also holds anything you buy for the Kindle. It's essentially storage for anything digital you'd buy from Amazon, baked into all its products and services.

Hybrid services like Box, Dropbox, and SugarSync all say they work in the cloud because they store a synced version of your files online, but they also sync those files with local storage. Synchronization is a cornerstone of the cloud computing experience, even if you do access the file locally.

Likewise, it's considered cloud computing if you have a community of people with separate devices that need the same data synced, be it for work collaboration projects or just to keep the family in sync. For more, check out the The Best Cloud Storage and File-Syncing Services for 2016.

Cloud Hardware

Right now, the primary example of a device that is completely cloud-centric is the Chromebook. These are laptops that have just enough local storage and power to run the Chrome OS, which essentially turns the Google Chrome Web browser into an operating system. With a Chromebook, most everything you do is online: apps, media, and storage are all in the cloud.

Or you can try a  ChromeBit, a smaller-than-a-candy-bar drive that turns any display with an HDMI port into a usable computer running Chrome OS.

Of course, you may be wondering what happens if you're somewhere without a connection and you need to access your data. This is currently one of the biggest complaints about Chrome OS, although its offline functionality (that is, non-cloud abilities) are expanding.

Arguments Against the Cloud

The ISPs, telcos, and media companies control your access. Putting all your faith in the cloud means you're also putting all your faith in continued, unfettered access. You might get this level of access, but it'll cost you. And it will continue to cost more and more as companies find ways to make you pay by doing things like metering your service: the more bandwidth you use, the more it costs.

Maybe you trust those corporations. That's fine, but there are plenty of other arguments against going into the cloud whole hog. Apple co-founder Steve Wozniak decried cloud computing in 2012, saying: "I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years."

In part, that comes from the potential for crashes. When there are problems at a company like Amazon, which provides cloud storage services to big name companies like Netflix and Pinterest, it can take out all those services (as happened in the summer of 2012). In 2014, outages afflicted Dropbox, Gmail, Basecamp, Adobe, Evernote, iCloud, and Microsoft; in 2015 the outtages hit Apple, Verizon, Microsoft, AOL, Level 3, and Google. Microsoft had another this year. The problems typically last for just hours.

How-to: Installing Wireshark

Wireshark how-to: Installing Wireshark

Installing Wireshark is a piece of cake. Binary versions can be downloaded for Windows or Macintosh OS X. Wireshark is also available through the standard software distribution systems for most flavors of Unix/Linux, and the source code is also available for installation on other operating systems.

The Wireshark development team built the Windows version on top of the WinPcap packet capture library. Those running Windows must install WinPcap if they haven't already. One word of caution: If you're running an outdated version of WinPcap, remove it manually through the "Add/Remove Programs" control panel before running the Wireshark installer.

The installation process uses a familiar wizard-based sequence that only asks two significant questions: whether you want to install WinPcap and whether you want to start the WinPcap Netgroup Packet Filter (NPF) service at startup. Selecting the latter option allows users without administrator privileges to capture packets. If you don't start this service, only administrators will be able to run Wireshark.

Running a simple packet capture

Once Wireshark is installed, start it up and you'll be presented with the blank screen shown below:.

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the one below:

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid name-resolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below:

Interpreting the results with Wireshark color codes

Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network. The default display shows the time of the packet (relative to the initiation of the capture), the source and destination IP addresses, the protocol used and some information about the packet. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information.

The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal varying levels of detail about each layer of information contained within the packet. In the example above, I've selected a DNS response packet. I've expanded the DNS response (application layer) section of the packet to show that the original was requesting a DNS resolution for www.cnn.com, and this response is informing us that the available IP addresses include 64.236.91.21. The bottom window plane shows the contents of the packet in both hexadecimal and ASCII representations.

Wireshark color codes

Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below:

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become an expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network. In future tips I'll look at advanced Wireshark techniques, including writing traffic filters to simplify packet analysis and exporting data for use in other applications.

Wireshark- how to sniff network traffic

Wireshark is the most popular network security analysis tools available easily for monitoring. This freely available analyzer can inspect traffic, identify denial-of-service attacks and troubleshoot devices and firewalls.

Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's kit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues.



How to sniff network traffic and why sniff the network?

The phrase "sniff the network" is like network administrator reading people's private email messages. Before anyone uses Wireshark, an organization should ensure that it has a clearly defined privacy policy that spells out the rights of individuals using its network, grants permission to sniff traffic for security and troubleshooting issues, and states the organization's policy requirements for obtaining, analyzing and retaining network traffic dumps. Anyone who uses a tool like Wireshark without first obtaining the necessary permissions may quickly find themselves in hot water legally.


As a security professional, there are two important reasons to sniff network traffic. For example, if a denial of service occurs, Wireshark can be used to identify the specific type of attack. The tool can then craft upstream firewall rules that block the unwanted traffic. The second major use of Wireshark is to troubleshoot security devices. Specifically, it can be used to troubleshoot firewall rules. If systems running Wireshark are connected to either side of a firewall, it's easy to see which packets successfully traverse the device and identify whether the firewall is the cause of connectivity problems.

It's important to remember that Wireshark can be used for good or for evil, as is the case with many security analyzers. In the hands of a network or security administrator it's a valuable troubleshooting tool. In the hands of someone with questionable ethics, however, it's a powerful eavesdropping tool that enables someone to view every packet that traverses the network.

Packet Sniffing Technology

Packet sniffers are tools that are commonly used by network technicians to diagnose network-related problems. Packet sniffers can also be used by hackers for less than noble purposes such as spying on network user traffic and collecting passwords.

Let's take a look at what a packet sniffer is and what it does:

Packet sniffers come in a couple of different forms. Some packet sniffers used by network technicians are purpose orieted solutions,while other packet sniffers are software applications that run on standard consumer-grade computers, utilizing the network hardware provided on the host computer to perform packet capture and injection tasks.

How do Packet Sniffers Work?

Packet sniffers work by intercepting and logging network traffic that they can 'see' via the wired or wireless network interface that the packet sniffing software has access to on its host computer.

On a wired network, what can be captured depends on the structure of the network. A packet sniffer might be able to see traffic on an entire network or only a certain segment of it, depending on how the network switches are configured, placed, etc. On wireless networks, packet sniffers can usually only capture one channel at a time unless the host computer has multiple wireless interfaces that allow for multichannel capture.

Once the raw packet data is captured, the packet sniffing software must analyze it and present it in human-readable form so that the person using the packet sniffing software can make sense of it. The person analyzing the data can view details of the 'conversation' happening between two or more nodes on the network. Network technicians can use this information to determine where a fault lies, such as determining which device failed to respond to a network request. It is used for capturing faults in the network.

Hackers can use sniffers to attack on unencrypted data in the packets to see what information is being exchanged between two parties. They can also capture information such as passwords and authentication tokens (if they are sent in the clear). Hackers can also capture packets for later playback in replay, man-in-the-middle, and packet injection attacks that systems may be vulnerable to.

What Software Tools are Commonly Used in Packet Sniffing?

Just like everybody else, both network engineers and hackers love free stuff, which is why open source and freeware sniffer software applications are often the tools of choice for packet sniffing tasks. One of the more popular open source offerings is: Wireshark (previously known as Ethereal).

How can we Protect our Network and its Data From Hackers Using Sniffers?

If you are network technician or administrator and you want to see if anyone on your network is using a sniffer tool, check out a tool called Antisniff. Antisniff can detect if a network interface on your network has been put into promiscuous mode, which is the required mode for packet capture tasks.

Another way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet's payload so that all the sniffer sees is encrypted form. Any attempt to modify or inject data into the packets would likely fail since messing with the encrypted data would cause errors that would be evident when the encrypted information was decrypted at the other end.

Sniffers are great tools for diagnosing down-in-the-weeds network problems. Unfortunately, they are also useful for hacking purposes as well. It's important for security professionals to familiarize themselves with these tools so they can see how a hacker might use them against their network.