Sunday, December 17, 2006

3Com 3226: Enable Port Mirroring

If you have 3Com Network Switch 3226 Model, and you would like to monitor your network, it does provide port mirroring feature. In order to enable it, you can login to the console via telnet, then execute commands accordingly to the screenshot below -


feature -> rovingAnalysis -> add|remove|start|stop|summary

3Com uses Roving Analysis as the term for the port mirroring, you will have to specify monitor port and analyzer port. Monitor port is the port you will want to monitor and analyzer port is the port to mirror traffic on monitor port. From my example I will monitor port 1 and its network traffic will be mirrored to the analyzer port which is port 25. Once I start monitoring, you can view the summary where roving analysis is enabled.

By now you can just plug in your IDS sensor or traffic collector to port 25 of the switch and start your network security monitoring.

Enjoy :]

P/S: I by no mean promoting or selling 3Com product, this is just to help in case one has the same device or as my own reference.

4 comments:

Anonymous said...

Hi thanks your post. Was wondering if you have had any experience with monitoring the 3com 3226 as you describe but finding larges 'holes' in your logging.... we might have a 24 hour log but have 2-3 hours where no logging is done at all - but there is definitely traffic to and from the port being mirrored? Anything you can advise would be greatly appreciated.... by the way there areno filters on our sniffing software we are using Wiresharp.

C.S.Lee said...

anonymous,

I assume wiresharp is wrong typo.

It is better to use other tools instead of wireshark to perform data collection. Usually I only use wireshark for pcap analysis.

So what are the other options? You can try out dumpcap from wireshark suite, daemonlogger or the ancient solid tcpdump.

There are many reasons why sometimes logging process fail somewhere, You will have to check out the system and monitor them closely to catch the issue especially if you run multiple applications at the same time.

Unknown said...

have a look at NTop from www.ntop.org for data collection and analyzing. great tool for displaying data traffic.

jerry-yang said...

Thank a lot. it is great post.