How to check whether port mirroring is properly configured?

4.0

Author:
IMFirewall Software
HomePage:
http://www.imfirewall.us

Port mirroring is required for pass-by monitoring. However sometimes you might still cannot monitor other computers even port mirroring is configured. There have several possibilities:

  1. Cable connections do not match the mirrored/mirroring ports. For example, port 5 is configured as a mirroring port, but the WFilter computer is connected to another port.
  2. Both outbound and inbound traffic is required by WFilter. If you only mirror one direction packets, WFilter can not work properly.
  3. WFilter computer shall be connected directly to the mirroring port.
  4. Incorrect "ip segment" or "monitoring adapter" settings of WFilter.
  5. Firewall/anti-virus programs blocks non-local packets. For example, nod32 will block non-local packets, so even port mirroring settings are correct, the mirrored traffic still can not reach WFilter. We recommend you to shutdown your firewall and anti-virus programs to check.

To locate the problem, first we need to confirm whether packets are mirrored to the WFilter computer. It can be checked in a simple way by below steps:

  1. In "Network Connections", check the "status" of the monitoring adapter:


    Figure 1
  2. Upon successful mirroring, the "Received" packets number shall be much larger than the "Sent" packets.


    Figure 2