I’ve been asked by our SIP trunk provider to run a Wireshark trace on the network when we receive calls.
The issue I’m having is that if I run Wireshark from a laptop plugged into the main switch I only see the broadcast traffic from the switch and cannot see the detail of calls I need to pass to our VoIP provider. Our switch is a Netgear FS728TP
I am running Wireshark capture in promiscuous mode but I’m guessing this setup isn’t the correct way to watch VoIP traffic on our LAN. Which of these options would be best to monitor the VoIP traffic?
1. Connect the monitoring laptop and phones to a Hub
This seems the easiest option, but where do you get a hub from these days, plus our handsets are Power Over Ethernet? Can I force our Netgear FS728TP switch to behave like a Hub or do I need to setup Wireshark differently to collect all packets?
2. Use a dual nic machine inline between our PBX and the phones on the switch
I was thinking of using an old Shuttle PC with dual network cards inline to watch all packets and do the trace that way, plus it would be useful in the future if we need to watch network traffic.
3. Buy a dedicated LAN monitoring device
This is obviously the faster method of the home baked Shuttle method but I have no idea what to look for in this area.
4. Configure a switch port to be a monitoring port.
This way you will get all traffic on that port. This Netgear model has this configuration option. It's called "port mirroring" on Netgear switches.
Option # 1 is what I use most often when capturing traffic for specific ports or hosts. The hub essentially acts as a passive network tap allowing your laptop to see all the traffic sent/received by any of the hosts connected to the hub. You can get a hub here:
http://www.amazon.com/Netgear-EN104TP-4-Port-Ethernet-Uplink/dp/B00000J4M9/ref=sr_1_1?ie=UTF8&qid=1298388547&sr=8-1
Are the phones connected to a switch that's separate from the rest of the devices on your network or is everything plugged in to the same switch?
Edit:
I was going to suggest an option 4 as well, and I do carry a small switch set up for the purpose of port mirroring, but honestly if you have or can easily get a hub it's a lot less work.
Option 4 is your best bet. You want to setup a port mirror of the ports that contain the SIP devices you want to monitor an then connect your laptop to the output port. That will tell the switch to mirror all packets from the originating port to the monitoring port so that you can do packet captures.
I'm not familiar with Netgear equipment but any managed switch can mirror ports to some extent (sometimes you are limited to the number of monitored ports). It should be in the documentation exactly how to do this.
Many managed switches allow you to setup what is commonly called a "mirror" port. You can mirror to or from or to and from a port or traffic in a vlan, and sometimes you can mirror traffic by mac address. The specific functionality is determined by your brand of switch.
Keep in mind that if you do this you could be dumping 2x worth of traffic (to and from) into a 1x bandwidth port (ie if you're mirroring to and from of a 100mb port into a 100mb port and you've got the up and down both pegged, you'll be dropping traffic in the mirror port).
There are also splitters / passive taps. These are prisms if you're looking at fiber optic cables (80% of light goes down one and 20% goes down the other). There are also hacks like this which are probably not cat5... or professional rigs that do the same thing.
You'll need 2 monitor ports on the device running wireshark for every link you're monitoring (in and out) if you go this route.
5. Capture the traffic on your PBX
Depending on your PBX software, OS, and performance requirements this can range from "easy" to "impossible".