Introduction

Before there were network switches we all worked with ethernet hubs and ethernet hubs were unique because you could plug into an ethernet hub and you could hear every bit of traffic and see every packet that was flowing through that hub. A hub is nothing more than a multi-port repeater so it became very easy if you ever needed to do network analysis or you ever needed to capture packets from the network. You simply plug into the hub, no extra configuration needed and you could see everything, but of course in the world of switches that is not the same thing.

If we plug into a switch port the things we're able to see are our broadcasts, multicasts or anything that might be directed to your specific workstation. If two other devices were communicating through the switch we have no way to see that simply by plugging into a switch connection and that's why most switch manufacturers design a capability built into the switch called a port mirror. It may be called something else on your switch. It may be called a span and may be called a port redirection but it is exactly the same thing.

We're taking the traffic that's going through the switch and we're taking a copy of that traffic and sending it off to another port somewhere else on that switch. There are many different reasons you might want to do this, such as:

For doing protocol analysis, examining what's happening with the way that applications are communicating if you're in the case of using a security device like an intrusion detection system (IDS) you may want to get a copy of the packets so you can see if there's any security issues happening on the network and these days you have things like stream to disk technologies that capture every packet coming through the network and saves them on these massive hard-drive arrays so that you can effectively rewind what was happening on the network to see what might have occurred in the past and a packet by packet level.

It is important to note that not all switches allow you to do a port mirror. Sometimes it may allow you to do one or two port mirrors simultaneously or sometimes there's no option at all. You may have no way to plug in and do a port mirror on your switch, so you'll have to look at your switch's manufacturers and extra specific instructions for that model to determine if it is possible to do a port mirror on the switch and if it is, what are the limitations associated with that.

How to capture traffic ?

• SPAN (Port mirroring)
• TAP (Terminal Access Point)

Port Mirroring

Port mirroring also know as SPAN is a method of monitoring network traffic which forwards a copy of each incoming and/or outcoming packet from one (or several) port(s) of a switch to another port where the analysis device is connected. Port mirroring can be managed locally or remotely.

To configure port mirroring, an administrator selects one or several ports from which all packets will be copied (source ports) and another port or ports where the copies of the packets will be sent (destination port).

The administrator can include either all packets in the port mirroring or only the transmitted/received packets. In case both transmitted and received packets are included, a packet going from a first monitored port to another monitored port will be copied twice to the destination port.

Port mirroring is the most commonly used solution for capturing traffic because it is inexpensive , flexible in terms of how much traffic can be capture at once, and remotely configurable.

Drawbacks:

1. It can consume significant CPU resources while active
2. There is a risk of not receiving some packets (such as media errors)
3. In the case of traffic congestion at the switch level, port mirroring is likely to drop some traffic (because the SPAN process does not have priority)
4. In some cases, a better solution for long-term monitoring may be a passive TAP or an Ethernet repeater (”hub”)

Advantages:

1. Low cost (this feature is embedded in most switches)
2. Can be configured remotely through IP or Console port
3. The only way to capture intra-switch traffic
4. A good way to capture traffic on several ports at once

Network TAP

Network TAP is a hardware device which can passively capture traffic on a network. It is commonly used to monitor the traffic between two points in the network. If the network between these two points consists of a physical cable, a network TAP may be the best way to capture traffic.

The network TAP have at least 3 ports: an A port, a B port and the monitor port. To place a TAP between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the TAP's A port, the other one going to the TAP's B port. The TAP passes all traffic between the two network points, so they are still connected to each other. The TAP also copies the traffic to its monitor port, thus enabling an analysis device to listen.

Network TAPs are commonly used by monitoring and collection devices such as APs. TAPs can also be used in security applications because they are non-obstrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the TAP stops working or loses power.

Drawbacks:

1. The device may require two listening interfaces on the analysis device
2. Costly
3. No visibility on intra-switch traffic
4. Not appropriate for the observation of a narrow traffic range

Advantages:

1. No risk of dropped packets
2. Monitoring of all packets (including hardware errors (MAC & media))
3. Provides full visibility, including congestion situations

System Logs

If you're working with routers, switches, firewalls, or other infrastructure devices connected to the network, there's probably logs inside of that device that can tell information such as how the traffic flows and traffic summaries of the data traversing that device.

When you are looking at the log files on switches, routers, firewalls, Windows servers, Linux servers, and other devices, you'll see that each one of those log types is very different. But all of these diverse log files contain details that would allow us to correlate data flows together. Although all of the logs contain very different information, we can use a standardized process to retrieve those log files from every single one of these devices using a standard protocol called syslog.

We can configure all of these different devices to send information to a consolidated logging receiver using the standard syslog protocol. In many cases, we're consolidating this information to SIEM. This is a Security Information and Event Manager that allow us to bring all of that data back to one central database. Syslog receives this data from a particular device, it logs a facility code, which identifies the program that originally created the log, and it assigns a severity level to the information contained within that log.

EXTRA notes about the room 641A

This section have a link to a case where a scandal occurred due to a data breach in USA.

https://www.pbs.org/video/frontline-room-641a/

Questions

• What are the differences between SPAN and TAP?

SPAN is a feature provided by switches, where a copy of network traffic from one or more switch ports is forwarded to another port, known as a SPAN port. The traffic on the SPAN port can then be captured and analyzed by a monitoring tool, such as a network analyzer. SPAN allows you to monitor network traffic without affecting the normal operation of the network. However, it has some limitations, such as it cannot capture traffic that does not pass through the monitored switch.

TAP, on the other hand, is a hardware device that connects to a network link and copies all of the traffic passing through the link. It provides a complete copy of the network traffic, including packets that are not visible on a SPAN port. TAPs are often used in high-performance and security-sensitive environments where complete visibility into network traffic is critical. However, TAPs can be expensive and can introduce some latency into the network.

In summary, the main differences between SPAN and TAP are:

SPAN is a feature provided by switches, while TAP is a hardware device.

SPAN provides a copy of network traffic from one or more switch ports to a SPAN port, while TAP provides a complete copy of the network traffic passing through a link.

SPAN has some limitations, such as it cannot capture traffic that does not pass through the monitored switch, while TAP provides complete visibility into network traffic.

SPAN is generally less expensive than TAP, but it may not be sufficient for high-performance or security-sensitive environments.

• What types of network devices can support network traffic mirroring?

Routers, switches, firewalls and load balancers .

• How can network traffic mirroring be used for network security?

There is a lot of ways that the traffic mirroring can be used for network security, such as:

Malware Analysis: Network traffic mirroring can be used to capture network traffic associated with malware infections. The captured traffic can be analyzed to determine the type and origin of the malware, as well as the behavior of the infected host. This can be useful in developing strategies to prevent future infections and mitigate the impact of current infections.

User Activity Monitoring: Network traffic mirroring can be used to monitor user activity on the network. This can be useful in identifying unauthorized or suspicious activity, such as accessing restricted resources or violating security policies.

Intrusion Detection and Prevention: Network traffic mirroring can be used to feed network traffic to intrusion detection and prevention systems (IDS/IPS) to detect and prevent security threats. By monitoring the network traffic, IDS/IPS can detect unusual patterns of traffic or malicious activity and take appropriate actions to prevent or mitigate the threat.

• Are there any legal or ethical considerations when using network traffic mirroring?

Yes, for example:

Consent: In some jurisdictions, it may be required to obtain consent from users before capturing their network traffic. It's important to check the applicable laws and regulations to ensure that you are complying with them.

Data Protection: Capturing network traffic can create a large amount of data, which must be stored, managed, and protected appropriately. You should ensure that you have adequate storage and backup solutions in place, as well as proper security controls to prevent unauthorized access to the captured data.

Ethical Considerations: Network traffic mirroring can be used for both legitimate and illegitimate purposes. It's important to use this tool ethically and responsibly, and not to use it for purposes that violate the privacy or rights of others.

REFERENCES

1 - https://www.youtube.com/watch?v=e-vmLfpqo_I

2 - https://accedian.com/blog/capture-network-traffic-span-vs-tap/

3 - https://pt.wikipedia.org/wiki/Sala_641A#/media/Ficheiro:Room_641A_exterior.jpg