3

I would like to tcpdump all traffic that my router does when it makes a firmware update.

So I have taken a HP ProCurve 1800-8G switch and mirrored port 7 to port 8.

I have connected:

  • Internet connection in port 6
  • routers WAN port in port 7
  • Linux host running tcpdump in port 8

I suppose the router have a dhcp client on the WAN interface.

However I don't see any activity. Not even the switch leds show activity for port 6 and 7.

Question

Do I have to configure something more in the switch in order use it as a network tap?

Update

Maybe it is the cables that are the problem? The router uses RJ11, so how should the RJ11 pins be connected to the RJ45 pins?

The ones I am using now are from an answering machine for port 6 and port 7.

            ____
                |
HP ProCurve    6|---------------- Internet Uplink -------------- (Internet)
1800-8G         |            :
Switch          |            : <== (router-to-uplink path before tap)
(as a tap)      |            :                         
               7|---------------- Router WAN port (downlink) --- (local n/w)
                |
               8|------------ Linux Host (with tcpdump)
            ____|
Sandra
  • 10,303
  • 38
  • 112
  • 165
  • 1
    •Internet connection in port 6 •routers WAN port in port 7... I'm having a hard time visualizing this. Can you provide a diagram? – joeqwerty Apr 10 '13 at 23:52
  • Sounds like the switch is installed between the router and the internet to mirror traffic to the Linux host. Are the link lights even active or is the internet connection completely down with the switch installed? – cpt_fink Apr 11 '13 at 01:15
  • 2
    First thing to do should be to make sure you still have connectivity to the Internet with the switch in between. Default configuration for the switch should be fine, assuming that no other ports on the switch are used. You should configure the mirror port only after you have confirmed this. – wookie919 Apr 11 '13 at 02:39
  • Have you enabled port mirroring for port 7 to 8? – tegbains Apr 11 '13 at 04:27

1 Answers1

4

You comment about your router using an RJ-11 connector makes me think that it's an ADSL router. If that's so, you can't do this with an ethernet switch; ADSL cells are not ethernet frames, and the switch will not therefore mirror them to the mirror port.

I don't know if the voltages involved are substantially different, but if they are, there's a danger that you can damage the equipment, connecting it as you have.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • @MadHatter Very interesting! How would you sniff the traffic? Buy a real network tap? – Sandra Apr 11 '13 at 11:31
  • 2
    If, by a "real network tap", you mean a commercial ethernet sniffer, then no, that still won't help. You'd need some kind of transparent in-line ATM traffic analyzer. I don't even know if they exist, though I presume they do. – MadHatter Apr 11 '13 at 11:38