Since 1995, I have been promoting the idea of a “Bootup Baseline”. The exercise is very straightforward, you power on a device and capture all the packets generated.
I want to take a moment to explain what we will not cover. As you look at the packets you will see several types of traffic:
- Unicast to the bootup device. This is what we want to focus on
- Broadcast or Multicast from other hosts. We will ignore these for the most part.
- Flooded traffic. These are unicast packets that are addressed to other hosts that are on your switch port. This is good to note and possibly take aside to determine why it is happening and of its ‘normal’.
The traffic gathered is there for only two reasons; either the host transmitted them, or the devices on the network sent them back to the booting host.
The most important step in this process is to document how you captured the data. There are many ways to capture packets from a booting device, but the most popular are:
- SPAN or port mirroring. Since we are not concerned with capturing errors or timings, this works well. The most convenient if you have proper access to the switch.
- In my opinion this is the best way but it requires you to be physically close to the device and you have to break the connection to that device.
- 10/100 Hub serves the same purpose as a TAP but no full duplex, fibre or 1 Gb support. We are only interested in the details of the traffic and not timings this works in a pinch. Ensure that the switch port connected to the hub is properly configured to support half duplex.