monitor session ?

Unanswered Question
Jun 21st, 2007


Have a question about monitoring a port on 4500, command is

"monitor session 1 source interface Gi3/5

monitor session 1 destination interface Gi7/46", The sniffer is on 7/46 and monitoring server is on 3/5.

But I looked at the capture session, there are some session (unicast) even destination IP is not the server are captured ? My understanding is only source or destication IP/MAC of the server are captured on port 3/5, but why I can see other sessions?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
royalblues Thu, 06/21/2007 - 06:23

when you configure spanning, the traffic on the port 3/5 will be mirrored onto port g7/46.

This will capture all packets/sessions that are being originated from the device connected to that port and also all broadcasts/multicasts directed to the port


rico_hao40 Thu, 06/21/2007 - 07:50

Thanks for reply.

Yes, I think I should capture only packets/session are broadcasts/multicast or the unicast which source or destination is the server on that port, but my problem is besides above packet, I also captured lots session which are not brodcast/multicast, they are unicast and both the source or distication are not that server?

For example,

My server is on port g3/5, but on that port I captured>

I think this session does not have any relation with server, why I can see them on port g3/5?

Strange ? Because switch should maintain a MAC -port table that only destination MAC belong to that port are forwarding

royalblues Thu, 06/21/2007 - 10:54

This could be due to the fact that the switch is yet to learn the mac address of the destination on any port and hence is broadcasting

Typically if a switch does not know the mac address to port pinding of any frame, it will broadcast the packet out all ports except from the one received.

i dont think you will see the entite tcp stream for that session




This Discussion