When {Puffy} Meets ^RedDevil^: 3Com 3226: Enable Port Mirroring

http://geek00l.blogspot.com/2006/12/3com-3226-enable-port-mirroring...

Compartir

Informar sobre mal uso

Siguiente blog

Crear un blog

Acceder

S U N D A Y, D E C E M B E R 1 7 , 2 0 0 6

ABOUT M E C. S . LE E

3Com 3226: Enable Port Mirroring

If you have 3Com Network Switch 3226 Model, and you would like to monitor your network, it does provide port mirroring feature. In order to enable it, you can login to the console via telnet, then execute commands accordingly to the screenshot below -

I'm Malaysian who works in Network Security Industry.

VIEW M Y COM PL ET E PR OF IL E

BLO G A RCHIVE

2011 (3) feature -> rovingAnalysis -> add|remove|start|stop|summary 3Com uses Roving Analysis as the term for the port mirroring, you will have to specify monitor port and analyzer port. Monitor port is the port you will want to monitor and analyzer port is the port to mirror traffic on monitor port. From my example I will monitor port 1 and its network traffic will be mirrored to the analyzer port which is port 25. Once I start monitoring, you can view the summary where roving analysis is enabled. By now you can just plug in your IDS sensor or traffic collector to port 25 of the switch and start your network security monitoring. Enjoy :] P/S: I by no mean promoting or selling 3Com product, this is just to help in case one has the same device or as my own reference.
POST ED BY C. S. L EE AT 12/ 17/ 20 06 11: 3 7: 00 PM

2010 (16) 2009 (23) 2008 (93) 2007 (200) 2006 (213) December (13) Regex - Magic for NetSe[x|c]Anal(yst)? Pro OpenSSH Merry Christmas Bro-IDS: Enable Full Content Data Logging 3Com 3226: Enable Port Mirroring Bro Offline Packet Analysis(DPD Enabled) Qemu Network on Linux

3 COMMENTS: Anonymous said... Hi thanks your post. Was wondering if you have had any experience with monitoring the 3com 3226 as you describe but finding larges 'holes' in your logging.... we might have a 24 hour log but have 2-3 hours where no logging is done at all - but there is definitely traffic to and from the port being mirrored? Anything you can advise would be greatly appreciated.... by the way there areno filters on our sniffing software we are using Wiresharp. 4/23/2007 08:42:00 P M

I know idiot is helpless Penang ICT Week Irresistable Honeysnap Ragrep More ... November (17) October (15) September (11)

1 de 3

17/08/2011 09:35 p.m.

When {Puffy} Meets ^RedDevil^: 3Com 3226: Enable Port Mirroring

http://geek00l.blogspot.com/2006/12/3com-3226-enable-port-mirroring...

geek00L said... anonymous, I assume wiresharp is wrong typo. It is better to use other tools instead of wireshark to perform data collection. Usually I only use wireshark for pcap analysis. So what are the other options? You can try out dumpcap from wireshark suite, daemonlogger or the ancient solid tcpdump. There are many reasons why sometimes logging process fail somewhere, You will have to check out the system and monitor them closely to catch the issue especially if you run multiple applications at the same time. 5/27/2007 10:13:00 A M Olav Langeland said... have a look at NTop from www.ntop.org for data collection and analyzing. great tool for displaying data traffic. 4/21/2008 11:46:00 P M Post a Comment Newer Post Home Older Post

August (15) July (14) June (15) May (18) April (18) March (25) February (27) January (25) 2005 (87)

NSM ALLIANCE

Sguil NSM Wiki OpenPacket Taosecurity Infosecpotpourri Inline Jontow Vodun Shirkdog Transporter Fifarek Ayoi Johncrackernet EatSec Enhancer

Subscribe to: Post Comments (Atom)

HE X A LLIA NCE

chfl4gs_ Dakrone Enhanced Gutizz Tenner Vickson

HITB A LLIANCE

MY Security HackInTheBox Adli Mel RedDragon

2 de 3

17/08/2011 09:35 p.m.

When {Puffy} Meets ^RedDevil^: 3Com 3226: Enable Port Mirroring

http://geek00l.blogspot.com/2006/12/3com-3226-enable-port-mirroring...

Takizo Xwings Hackathology

M YOSS ALLIA NCE

Eugene Teo Lbe Mypapit

HO NE YNE T A LLIA NCE

Toady

BRO ZO NE

ICIR Blog Emerging Bro Seth Hall

B S D P O RTS

OpenBSD Ports FreeBSD Ports

3 de 3

17/08/2011 09:35 p.m.