nat - Where to place a port-mirroring switch for home network monitoring

07
2014-07
  • gregnr

    I want to start monitoring traffic that goes in and out of my home network.

    I'd like to collect information like bandwidth usage and (specifically) HTTP requests from home computers to websites. From my research, nTop appears to be a good candidate for the job.

    My plan was to install nTop on a spare Linux box and route all network traffic through that box. From my research, monitoring is commonly done using a switch that can do port-mirroring. The computers on the LAN connect to the switch, and when port-mirroring is set up, all traffic from these LAN computers can be mirrored to a designated port on the switch that my Linux monitoring box connects to. I can then receive and monitor this traffic.

    My problem is where to place the switch on the network. Our network is set up like the following:

    Internet --> Modem --> Wireless router --> Wired and wireless computers

    I could place the switch immediately downstream from the router and route all wired connections through the switch. I would connect the monitoring box to the switch, and then the switch to the router. It would look like the following:

    Internet --> Modem --> Wireless router --> Switch --> Wired Computers

    The problem is all wireless devices will still go directly to the router and bypass my switch. An alternative set up would be the following:

    Internet --> Modem --> Switch --> Wireless router --> Wired and wireless computers

    This seems like a good solution, however all traffic going through that switch is now coming from the router which performs Network Address Translation (NAT).

    Since the router is performing NAT, does this mean that all traffic that reaches the switch will have a single (public) IP address? This would make it impossible to know which device on the network did each HTTP request since their IP would have been translated to a single IP.

    Is there a workaround to get both wired/wireless devices to through the switch AS WELL AS being able to distinguish which computer sent the request?

    Thanks

    • Answers
  • Jens Ehrich

    Your best solution would be to place the switch between the router and LAN, and get a new WAP that can be placed on the LAN. This will allow you to monitor all traffic and see which internal host the traffic comes from or goes to. In this scenario you would disable the router's Wi-Fi.

    The only other solution would be to get a router that supports port mirroring directly (ex: some SonicWALL routers do this).


    • Related Question

    Home networking - Wireless switch?
  • user20336

    I currently have a Linksys WRT160N that has a couple wireless clients and a few wired clients. We are planning to switch from DSL to cable and unfortunately, there isn't a cable point in a location close to the wired clients (i.e. the new location of the router would be too far from the wired clients to lay Ethernet cables).

    Thus, I was wondering if there was a wireless switch of some sort in which it would be a standard Ethernet switch that would connect to my wireless network? (This is a home network,of course.)


    • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.