Everything you always wanted to know about SPAN ports, Network Taps, Packet Mirrors, and the Splunk App for Stream (but were afraid to ask)

As this is my first Splunk blog post, I’ll keep this short.

This post has to do with moving raw packets around the network and analyzing their contents. In fact, not IP packets at L3, actually Ethernet frames at Layer 2.

Occasionally, engineers have a need to capture and inspect raw packets. This is usually done in the case where you don’t necessarily trust what’s going on with a given application (say a web server, or a DNS server) and you’d actually like to see what’s going over the wire, rather than what the application is telling you from its log. The use case could be one of fault isolation, troubleshooting, or an actual malicious event sourced by a human …

» Continue reading