Work stations in promiscuous mode can sniff LAN packets within their broadcast domain. A workstation connected to Cisco Meraki switches can capture these packets through port mirroring. This article will cover how to capture traffic passed by an MS switch, using the following steps:
The most effective way to capture traffic passed on a given switchport is to mirror that port to another available port, so all traffic passed by the source port will be sent out on the mirrored destination port. The following steps outline how to mirror one or more ports on an MS switch:
Physically connect a workstation to your destination port. Make sure DHCP is enabled on the host, and check that it receives a 169.254.X.X IP address.
On the workstation, open a packet capture utility. Using Wireshark as an example, navigate to Capture > Options and select your Ethernet card. Click Start.
Now that traffic is being captured, perform whatever network tests are necessary to generate traffic across the source ports. This traffic can now be analyzed on the destination port using the capture tool.
On Meraki switches, there are two egress modes for port mirrors:
The following table lists support for the two modes:
|True Egress||MS22, MS42, MS220, MS320, MS350, MS410|
|Tagged Egress||MS225, MS250, MS420, MS425|