adam's notes

❯

❯

Port Mirroring

a switch forwards unicast traffic only to the specific port connected to the intended destination interface
- prevents sniffing of unicast traffic by hosts attached to same switch

Port mirroring copies ingress and/or egress communications from one or more switch ports to another port.

on Cisco, called switch port analyzer (SPAN)
used to monitor communications passing over the switch
sensor is attached to a specially configured mirror port on a switch
- that receives copies of frames addressed to:
  - nominated access ports
  - or all the other ports
mirror port is used by management or monitoring software
packets can be filtered by protocol ID or TCP/UDP port
- helps avoid overloading the monitoring system

Warning

not completely reliable

Frames with errors will not be mirrored

frames may be dropped under heavy load

port mirroring demands a lot of processing

can lead to the switch hardware becoming overloaded and crashing

test under typical loads before deploying

Graph View

Backlinks

Applying Network Security Features
Domain 6 - Network and Communications Security
Network Taps
Security Appliance Attributes

Created with Quartz v4.5.2 © 2026

CC BY-NC-SA
adamfurman.me