1 00:00:00,860 --> 00:00:03,270 Another tool we use in the monitoring process 2 00:00:03,270 --> 00:00:04,875 inside of our networks for both security 3 00:00:04,875 --> 00:00:08,110 and network performance is a protocol analyzer. 4 00:00:08,110 --> 00:00:10,120 A protocol analyzer is used to capture 5 00:00:10,120 --> 00:00:12,210 and analyze network traffic. 6 00:00:12,210 --> 00:00:14,470 Now I know we've talked about protocol analyzers 7 00:00:14,470 --> 00:00:15,630 already in this course. 8 00:00:15,630 --> 00:00:17,210 Things like Wireshark, right? 9 00:00:17,210 --> 00:00:18,918 But I wanted to take a moment to cover the concept 10 00:00:18,918 --> 00:00:21,270 of how these connect to your network. 11 00:00:21,270 --> 00:00:23,530 They can be connected in either promiscuous mode, 12 00:00:23,530 --> 00:00:25,180 or non-promiscuous mode. 13 00:00:25,180 --> 00:00:26,710 If they're in promiscuous mode, 14 00:00:26,710 --> 00:00:29,090 that means the network adapter is going to be able to capture 15 00:00:29,090 --> 00:00:30,680 all of the packets on the network 16 00:00:30,680 --> 00:00:33,740 regardless of who the destination MAC address is. 17 00:00:33,740 --> 00:00:35,110 And this is going to alow them to capture 18 00:00:35,110 --> 00:00:37,450 all of the frames that carry that information. 19 00:00:37,450 --> 00:00:39,140 So promiscuous, it doesn't matter if 20 00:00:39,140 --> 00:00:40,380 you're addressing it to me, 21 00:00:40,380 --> 00:00:42,730 I'm still going to collect it and listen to it. 22 00:00:42,730 --> 00:00:44,680 Now, if I'm in non-promiscuous mode, 23 00:00:44,680 --> 00:00:46,800 I'm only going to capture packets that are addressed 24 00:00:46,800 --> 00:00:50,000 directly to myself, the protocol analyzer. 25 00:00:50,000 --> 00:00:51,560 That's the difference with promiscuous 26 00:00:51,560 --> 00:00:53,440 verse non-promiscuous mode. 27 00:00:53,440 --> 00:00:55,510 Now, to capture the most information, 28 00:00:55,510 --> 00:00:58,380 you're going to need to be put into promiscuous mode. 29 00:00:58,380 --> 00:01:00,160 Not all network adapters support this, 30 00:01:00,160 --> 00:01:02,500 so you need to make sure you have one that does. 31 00:01:02,500 --> 00:01:05,460 Now you also need to set up a port on the switch 32 00:01:05,460 --> 00:01:07,760 that is going to allow you to see all that traffic. 33 00:01:07,760 --> 00:01:09,360 Because in the old days of a hub, 34 00:01:09,360 --> 00:01:12,310 all that information was broadcast across every port. 35 00:01:12,310 --> 00:01:14,600 But with switches, everything is going 36 00:01:14,600 --> 00:01:17,130 based on the MAC address to specific ports 37 00:01:17,130 --> 00:01:18,740 based on it's CAM table. 38 00:01:18,740 --> 00:01:20,870 So to be able to get all that data, 39 00:01:20,870 --> 00:01:23,390 you need to be able to set up port mirroring. 40 00:01:23,390 --> 00:01:25,730 Port mirroring is where you have one or more switch ports 41 00:01:25,730 --> 00:01:27,900 that's configured to forward all of their packets 42 00:01:27,900 --> 00:01:29,840 to another port on the switch. 43 00:01:29,840 --> 00:01:32,300 This port is normally called a SPAN port. 44 00:01:32,300 --> 00:01:34,850 And it's being used to do port mirroring 45 00:01:34,850 --> 00:01:36,330 of all the other ports so that 46 00:01:36,330 --> 00:01:38,210 the protocol analyzer can see it. 47 00:01:38,210 --> 00:01:40,600 Now sometimes you don't have ability 48 00:01:40,600 --> 00:01:42,250 to configure the SPAN port yourself. 49 00:01:42,250 --> 00:01:43,860 Because maybe you're an analyst, 50 00:01:43,860 --> 00:01:45,480 but you're not a network administrator. 51 00:01:45,480 --> 00:01:48,930 If that's the case, you can also put in a network tap. 52 00:01:48,930 --> 00:01:51,060 Now when you talk about a network tap, 53 00:01:51,060 --> 00:01:53,940 you have to really understand how a mirrored port works. 54 00:01:53,940 --> 00:01:56,610 When a mirrored port or a SPAN port is being used, 55 00:01:56,610 --> 00:01:59,510 it's using a logical method to replicate the traffic 56 00:01:59,510 --> 00:02:02,710 across all of the other ports on to that SPAN port. 57 00:02:02,710 --> 00:02:05,460 This does put a lot of additional processing requirements 58 00:02:05,460 --> 00:02:07,040 on the switches CPU, though. 59 00:02:07,040 --> 00:02:10,090 And it can slow down your network or cause packets to drop. 60 00:02:10,090 --> 00:02:11,120 If this is a concern, 61 00:02:11,120 --> 00:02:13,640 or you can't configure a SPAN port yourself, 62 00:02:13,640 --> 00:02:15,540 you can use a network tap instead. 63 00:02:15,540 --> 00:02:17,250 Which is a physical device. 64 00:02:17,250 --> 00:02:19,020 A network tap is a physical device 65 00:02:19,020 --> 00:02:20,880 that allows you to intercept the traffic 66 00:02:20,880 --> 00:02:22,780 between two points on the network. 67 00:02:22,780 --> 00:02:24,380 So maybe I want to put a network tap 68 00:02:24,380 --> 00:02:26,100 between the router and the switch 69 00:02:26,100 --> 00:02:27,730 at the boundary of the network. 70 00:02:27,730 --> 00:02:29,160 This is going to allow me to see everything 71 00:02:29,160 --> 00:02:31,480 that's coming in or out of the network that way. 72 00:02:31,480 --> 00:02:32,853 And it puts no additional load 73 00:02:32,853 --> 00:02:35,150 on the router or on the switch. 74 00:02:35,150 --> 00:02:37,270 I basically cut the cable in between, 75 00:02:37,270 --> 00:02:38,520 unplug it between the two devices, 76 00:02:38,520 --> 00:02:40,420 and put my device in between the two, 77 00:02:40,420 --> 00:02:43,600 and I get a copy of all of the data going between them. 78 00:02:43,600 --> 00:02:45,470 That's the idea with a network tap. 79 00:02:45,470 --> 00:02:48,520 Either can be used, either a SPAN port or a network tap 80 00:02:48,520 --> 00:02:50,080 to accomplish the same thing, 81 00:02:50,080 --> 00:02:52,540 but a network tap is going to be much more efficient 82 00:02:52,540 --> 00:02:54,990 because it is a physical device 83 00:02:54,990 --> 00:02:57,903 using the logical capability inside of the switch.