WebHawk

  3.0
   

Info      Technology      Screenshots      Trial       Faq        Contact       Home
 
How do I configure my Cisco switch to use Port SPAN with Web Hawk?

By default, Web Hawk will attempt to transmit traffic (to block web requests & transmit Name Resolution requests) on the same port it is monitoring traffic on. When configuring a Cisco switch to perform Port SPAN on some firmware versions, the SPAN Destination Port the switch is receiving traffic on will not allow packets to be transmitted into that interface (in other words it is "unidirectional"). In this situation blocking messages cannot be transmitted and Name Resolution requests cannot take place on the SPAN Destination Port. Because of this limitation of the switch, it is necessary to follow a few steps:

Web Hawk must have 2 network cards: one NIC for monitoring traffic, and another NIC for transmitting blocking messages/performing Name Resolution.

Add a registry entry as indicated below to allow for separate Transmit & Monitor network cards:

  • Through the Windows Registry under HKEY_LOCAL_MACHINE\SOFTWARE\FutureSoft\Dynacomm i:filter\, add the DWORD: Name: TransmitOnSecondaryAdapter, with a Data value of: 1.
  • In the DynaComm i:filter program group, select Ethernet Adapter Selector.
  • In the Ethernet Adapters window, select the adapter to use for monitoring functions, then click Transmit button.
  • In the second Ethernet Adapters dialog, select the adapter to use for transmission functions, and click OK.
  • In the first Ethernet Adapters dialog, click OK.
  • Restart the DynaComm i:filter Network Monitor service.
Now the NIC that is connected to the SPAN Destination Port (a.k.a.- the Monitor NIC) must be configured to use DHCP instead of a static IP, then renew its IP address. The NIC will be assigned an auto-configuration address in the 169.254.x.x range (in accordance with RFC 3330) because the DHCP server could not be reached. The reason for doing this is that the Operating System will attempt to send some Name Resolution requests out of the Monitor NIC unless it has the auto-configuration address.

The final step is to configure the SPAN session. Configure the switch uplink to your Router/Firewall & the port that the Web Hawk's Transmit NIC is connected to, as a SPAN Source Port. This is to allow the Monitor NIC to see all the Name Resolution requests sent as they are being made from the Transmit NIC. Then configure the SPAN Destination Port as the Web Hawk's Monitor NIC. For more information on how to configure Cisco switches for Port SPAN click here See example diagram to the right.

Back to Faq
 

© 2007 - Tangent Inc. All rights reserved.                Call 1-888-TANGENT