I want to use a Netgear GS108Ev3 to monitor traffic between my router and modem. i.e.
Connect Port 1 to an Ethernet port on my Windows 10 desktop.
Connect Port 2 to the router.
Connect Port 3 to the modem.
Set Port 2 to mirror to Port 1.
Use Wireshark to collect packets from Port 1 and Wireshark Capture filters to capture only the packets I want to analyze.
I do not want any packets coming from the PC to reach the router or modem.
Nor do I want packets from Ports 2 and 3 reaching Port 1 except for those that are mirrored.
(I have observed that the ISP network is full of broadcast packets. Getting them from the mirrored port is fine. I just do not want to get them twice.)
Re: Does Port Mirror Disable the "Mirroring" Port?
Netgear has oddly two different variants of port mirroring implemented, depending on the model. It's interesting that some users expect the ports involved continue to work normally (completely strange to me. duplicate frames expected by design), while other users (me included) expecting a strict "only" the mirrored port traffic.
Re: Does Port Mirror Disable the "Mirroring" Port?
This has been quite an adventure.
The TP-Link switch was a dismal failure, as it would mirror packets going only from the switch (egress) and not packets coming into the switch (ingress). (Now that I think about it, it might have worked to mirror both the modem port and the router port and thus capture traffic in both directions. Hmmm. Another thing to try. Might have saved me $50!)
The Netgear switch appears to function correctly and (as far as I can determine) sends only the mirrored packets out the mirroring port.
What I have not yet determined is if any packets from the mirroring port "go anywhere". (I know how to test this, but am having too much fun watching dhcp between the Orbi and Spectrum to interrupt the capture to perform a test. Even though the USB/Ethernet adapter being used for the Wireshark capture has a Static IP (192.168.0.2) and has no defined gateway, there is a lot of 'crap' that was flowing out through that port: a strange mixture of multicast queries and DropBox queries. With Wireshark now using a Capture Filter of:
port 67 or port 68 or port 546 or port 547, those are the only packets being captured. There is so much flotsam and jetsam flying around the Spectrum IP subnet, that a few multicast packets from me may not affect anything.
As for entertainment value, this is a hoot!
The RBR50 behaves exactly as expected in regard to DHCP. Spectrum is now giving out 24 hour leases, and the Orbi does a renew at exactly 12 hours remaining. (which Spectrum acknowledges almost instantly.)
Spectrum assigns IPv6 leases good for a week (604,800 seconds). Unlike IPv4 which is resolved in one attempt, the IPv6 renewal seems to take two efforts, about six seconds apart. IPv6 responses generally taken longer as well.
IPv6 also involves "Information-requests" in addition to the renewal.
There are DHCP offers showing up from servers in 10.50.x.x and 10.84.x.x subnet. Why they should be appearing in this Spectrum subnet (172.249.112/20) is unclear.
