What is port mirroring?

Port Mirroring, also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.

Port Mirroring function is supported by almost all enterprise-class switches (managed switches).

Port mirroring function is best described when comparing  regular switch and switch with port mirroring support.

Figure 1. Regular Switch

In Figure 1 you see network  the traffic sent between computers A and B.

The MAC table in the memory of the switch contains information on which port is connected to particular computer.

Switch knows that:

  • Port #1 (first on the left) is not connected.
  • Port #2 is connected to A
  • Port #3 is connected to B
  • Port #4 is connected to C
  • Port #5 is connected to D

When the switch receives a packet from A to B, it routers this packet to port #3 (because B is on port #3).

Other computers (C and D) do not see this network traffic. It is hidden from them.

Conclusion: With a regular switch the network traffic is visible only to computers, which directly participare in a communication. Other computers do not see the traffic, that is not destined for them.

Figure 2. Switch with Port Mirroring

In Figure 2 you see the similar scenario: the network traffic is sent between computers A and B.

But there is a small difference: this switch supports port mirroring function. And administrator has configured the switch to mirror to computer D all network packets, which are transmitted between computers A and B.

Computer D is a listener to the traffic. Computer D can be used for network logging or call recording if we have IP phones instead of computers A and B .

Conclusion: Port mirroing allows a particular computer to see the network traffic, which is normally hidden from it.

 

 

How Port Mirroring function is used for VoIP call recording?

 The image below illustrates the usual configuration of network, which enables call recording.

 

In this example, one of IP Phones makes a call to a remote phone outside of the local network (whether it is analog phone, cellular or another IP Phone).

Network traffic from IP Phone goes through network switch with port mirroring. The switch sends to MiaRec a copy of every network packet, sent or received by IP Phone.

By using intelligent packet capturing technology, MiaRec detects Voip-related packets inside the network traffic, decodes them and saves audio on a disk.