How do I configure a PC to use wireshark through the Watchguard from/to external and trusted?

Can someone explain to me how or if it's even possible to setup the watchguard to send all traffic on the network to it's intended destination and a copy also to one pc that's running a wireshark? I've been playing around with multicast routing... no luck so far.

Comments

  • I just tried one of those wire tap things where its supposed to act like a hub and send and receive out of all ports, and when I plug in my modem to the firebox, works fine. as soon as i add a second pc in another port on the tap, all communication is lost.

  • but i'd rather somehow do it on the watchguard

  • edited October 2022

    It is easy to do with a managed switch.
    Put it between the firewall trusted interface and whatever is down stream, presumably a non-managed switch.
    Set up a mirror port, to mirror traffic from another port.
    Then connect a PC/laptop the the mirror port.

    With Fireware, one can set up bridge ports.
    I have not tried using a bridge port interface for this, but I expect it would work.

    Create a Network Bridge Configuration
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_config_bridge_create_c.html

  • OK, been a minute since I got my ccna (15 years ago and never used it.) I thought a bridge was a layer 2 device...same as a switch where it switches which side the traffic is on by mac address. So, it seems like a bridged port would not help.
  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @davidortenn79
    The firebox itself won't mirror a port for you, if you need to do that you'll need to use a switch that can accomplish that. Most cat5/6 taps are passive devices (meaning that they're splitting the voltage between the two connections in use.) If the split voltage is too low for the firewall to detect a link, it can cause problems.

    If you're looking for a hardware device, I'd suggest looking for a hub, as that will repeat all traffic out all ports. You will only be able to find these devices in fast ethernet models, however. If you need gigabit speeds, you will need to get a switch that can mirror a port.

    If you're just looking to gather occasional data, you can use the tcpdump tool that is built into the firebox's diagnostic tasks to do so. It can ouput pcap files that wireshark can read.

    See: (Run Diagnostic Tasks to Learn More About Log Messages)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

    (A subset of these tools are available in the WebUI under system status -> diagnostics, but I would suggest using WSM if you plan on using this tool as it will allow you to run multiple captures at once if needed, and allow them to run for longer.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.