Concepts and Definitions.

1. Port Mirroring / SPAN on a Switch.

• Port Mirroring (often called SPAN –> Switched Port Analyzer) is a Layer 2 switch feature.
• It duplicates (mirrors) traffic from one or more source ports or VLANs to a single destination port.
• The original traffic is not modified or interrupted: the switch simply creates a copy.

Typical use cases:

• Sending traffic to a packet analyzer (Wireshark, Zeek, etc.).
• Sending traffic to an IDS/IPS sensor or network probe.
• Troubleshooting and monitoring without impacting production flows.

On FortiSwitch, SPAN sessions (mirror sessions) are configured by defining:

• Source interface(s) and/or VLAN(s).
• Direction (ingress, egress, or both).
• A destination interface (monitoring port).

The destination port is usually connected to:

• A laptop with Wireshark.
• A FortiGate interface running packet capture.
• A dedicated appliance for analysis.

2. Sniffer / Packet Capture.

• Sniffer refers to the tool or process of capturing and inspecting packets.
• It is not a switch feature by it'self, but a function of:

1. A host (e.g., Wireshark on a PC).
2. A firewall (e.g., 'diagnose sniffer packet' or GUI packet capture on FortiGate).
3. Or another appliance that can read raw frames/packets.

• Sniffer views whatever packets arrive on the interface where it is attached.

Key points:

• A sniffer does not see all traffic in the network; it only sees either traffic that physically traverses the interface on which it is running, or traffic that has been 'mirrored' to that interface (via SPAN).
• If the switch forwards traffic in hardware between two ports in the same VLAN and the sniffer is on a different port (without mirroring), the sniffer will not see that traffic.

3. SPAN vs Spam.

• In switching and monitoring contexts, SPAN is synonymous with port mirroring.
• 'Spam' is unrelated here (junk email / unwanted traffic) and is likely just a typo.
• In Fortinet documents and networking literature, such as 'SPAN' for FortiSwitch, read it as 'port mirroring session'.

Analysis of knowledge base articles:

Technical Tip: How to collect sniffer captures in each port in FortiSwitch

Main ideas:

• The KB shows how to use port mirroring on a FortiSwitch to collect packet captures per-port.
• Instead of directly attaching a sniffer to every single production port:

1. Create one or more mirror sessions on the FortiSwitch.
2. Define the source ports whose traffic to analyze.
3. Use a single destination/monitor port where the analyser/sniffer is connected.

Technical implications:

• It is possible to change the source port in the mirror configuration without unplugging cables from the production devices.
• It is also possible to systematically rotate through ports and collect captures from each one using the same analyzer NIC.
• Mirroring does not interfere with the original traffic; the switch forwards frames normally and adds a copy to the monitoring port.

Why this matters:

• For troubleshooting intermittent issues on specific access ports (e.g., VoIP phones, printers, critical servers), it’s much easier to:

1. Configure mirror from that port to the analyzer port.
2. Capture traffic there.
3. Move on to the next port when needed.
4. This is more flexible and safer than directly inserting an inline tap or re-cabling every time.

Technical Tip: Port Mirroring/SPAN specific VLAN using Access Control Lists.

Main ideas:

• The article explains how to configure SPAN sessions not just by physical port, but using VLAN-based mirroring.
• Specify one or more VLANs whose traffic should be mirrored.
• This covers:

1. All ports that belong to that VLAN (e.g., all access ports in VLAN 10).
2. Potentially also tagged traffic on trunk ports, depending on the configuration.

Technical implications:

• Instead of mirroring per individual port, mirror per VLAN, which is extremely powerful in multi‑access networks.
• It's possible do captures:

1. All clients in that VLAN without reconfiguring each port.
2. Broadcast and multicast traffic within the VLAN.
3. This is very useful when:
   1. Troubleshooting broadcast storms.
   2. Investigating ARP issues or DHCP problems.
   3. Monitoring a whole user segment or a problematic VLAN (e.g., guest Wi‑Fi, IoT devices).

Additional technical analysis and practical notes.

Port Mirroring / SPAN Characteristics:

• Operates at Layer 2 within the switch.
• Typically implemented in hardware:

1. Very efficient, minimal impact on forwarding.
2. However, mirrored traffic is considered 'best effort'; under heavy load, some mirrored packets may be dropped while production traffic is still forwarded.

• Does not require IP configuration; it only cares about frames and VLAN tags.
• Does not change MAC addresses, VLAN tags, or IP headers of the mirrored frames.

Sniffer / Packet capture characteristics:

• Runs in software on a host / appliance / firewall:

1. FortiGate (CLI 'diagnose sniffer packet' or GUI -> Packet Capture).
2.  Wireshark or tcpdump on a PC or server.

• Limited by:

1. CPU performance on the device doing the capture.
2. NIC capacity (link speed) and system I/O.

• What is seen depends on where the device is located:

1. On a FortiGate WAN interface, it is possible to see routed/NATed traffic.
2. On a LAN interface, it is possible to see un-NATed internal traffic.
3. On a mirrored port, it is possible to see whatever the switch copied (which can be local intra-VLAN traffic that never goes to the FortiGate otherwise).

When to prefer port mirroring.

Use port mirroring / SPAN when:

• To have full visibility of a VLAN or a set of ports, including traffic that never traverses the FortiGate.
• In troubleshooting:

1. ARP resolution issues.
2. DHCP problems (Discover/Offer/Request/Ack).
3. STP/loop problems or broadcast storms.
4. A specific host that is misbehaving (duplicate IP, ARP poisoning, etc.).

• To feed traffic to an out-of-band IDS/IPS or analysis device.

When to prefer sniffer (without additional mirroring).

Use sniffer directly on FortiGate or a host interface when:

• The traffic already passes through that interface and is not offloaded in a way that bypasses CPU visibility.
• Debugging:

1. NAT behavior.
2. Firewall policies (accept/deny).
3. VPN tunnels and encapsulation/decapsulation.
4. Routing decisions, BGP, OSPF, etc.

• To see session-level information alongside log entries on the same device.

Practical use-case examples.

1. Troubleshooting a single user port:

• Use port mirroring:
  1. Configure a SPAN session with that user's access port as the source.
  2. Send mirrored traffic to a monitoring port.

• Use a sniffer:
  1. Capture on the monitoring port (Wireshark / FortiGate packet capture).
  2. Analyze ARP, DHCP, DNS, TCP handshakes, etc.

2. Troubleshooting all clients in a VLAN:

• Use Port Mirroring:
  • Configure VLAN-based mirroring for that VLAN.

• Use Sniffer:
  • Capture on the mirror destination to see flows for all devices in that VLAN.

3. Debugging NAT or firewall policy:
   • Use Sniffer directly on FortiGate:
     1. Capture on the relevant interface (inside or outside).
     2. Match packets with session table and logs.

•  Optionally, mirror from the switch side as well to confirm what is happening before traffic reaches the FortiGate.

Summary:

• Port Mirroring / SPAN on FortiSwitch:

1. A hardware-based switch feature that copies L2 frames from selected ports/VLANs to a destination port.
2. Essential to see intra‑VLAN traffic and all frames traversing the switch.

• Sniffer / Packet Capture:

1. The software tool/analyzer that consumes that mirrored traffic or traffic at an interface.
2. Provides protocol decoding, header inspection, and deep analysis.
3. On FortiGate it’s ideal for seeing NAT, security policies, and session behavior.

• The two do not replace each other; instead, they complement each other:

1. SPAN provides the visibility at the switch level.
2. Sniffer provides the analytical 'lens' to interpret that traffic.

Related articles:

Technical Tip: How to collect sniffer captures in each port in FortiSwitch

Technical Tip: Port Mirroring/SPAN specific VLAN using Access Control Lists