Something on my Ethernet LAN is occasionally sending out spurious duplicate packets and I need to track it down. The culprit is likely a switch or other bridge (such as a Wi-Fi AP) and not an endpoint, because the packets that get duplicated are not always from the same source MAC address.
I'm thinking of getting a manageable switch that supports port mirroring, and using it with a sniffer to sniff traffic going into and out of a port, but I need to know which direction each captured packet was sent, so I can tell which direction the original and the duplicate came from. If I can find a place on my network where the original and duplicate came from different directions, I'll know that the culprit must be on the side where the duplicate came from.
My problem is, the port-mirroring switches I've worked with in the past have only allowed me to mirror "both directions" (both transmit and receive) from a given port, to the mirror port.
Can anyone suggest a solution that would allow me to mirror just one direction? I'm thinking of hooking up two sniffers, one for the "Tx" direction, and one for the "Rx" direction, so I can tell which way the packets were going. I don't mind buying a new manageable switch or tap to achieve this.
I'm open to any other ideas for tracking down the source of spurious packet duplication, but beware that my current switches on this network aren't terribly manageable, so solutions that assume manageable switches (like "enable such-and-such packet tracing", or "pull stats from all your switches via SNMP and crunch the data in <app>") aren't likely to be practical in my situation.
Best Answer
On Cisco switches, you can configure whether you mirror rx, tx or both.
For example:
For receive only:
For transmit only:
If you don't specify, you mirror both tx and rx.