Traffic Sniffing Question (Easy)

Unanswered Question

Hi All,

I have an easy question. I want to sniff a network port on my 3560 switch. I was going to use SPAN to repeat the traffic to another interface, plug my laptop into that interface and watch the traffic.

My question is, when I plug my laptop into the SPAN'd port, do I give it an IP address of its own or do I give it the IP address of the machine being monitored?

Also, if there is a better way other than SPAN and a Laptop with sniffing software, recommendations would be appreciated. Thanks!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisconoobie Wed, 10/17/2007 - 13:48

I have my port blank, only spanning-tree portfast.

Install ethereal and set to capture packets for your port.

andrew.butterworth Wed, 10/17/2007 - 14:05

Personally I have a PCMCIA NIC installed in my laptop in addition to the onboard NIC. I have all the bindings removed from this 2nd NIC to stop Windows attempting to use it for networking. I use this 2nd NIC as a solely monitor interface. The leaves me able to still telnet etc from the other NIC, plus it stops me capturing packets that the PC is generating.

I use WireShark (what was Ethereal) and think this is an excellent piece of (free) software.

If you are sniffing VLAN Trunks or ports using Voice VLANs be careful with Intel & Broadcom drivers since they strip the VLAN tags off before passing the frames up the stack. Both have registry keys to disable this behaviour.




This Discussion