10-17-2007 10:28 AM - edited 03-05-2019 07:09 PM
Hi All,
I have an easy question. I want to sniff a network port on my 3560 switch. I was going to use SPAN to repeat the traffic to another interface, plug my laptop into that interface and watch the traffic.
My question is, when I plug my laptop into the SPAN'd port, do I give it an IP address of its own or do I give it the IP address of the machine being monitored?
Also, if there is a better way other than SPAN and a Laptop with sniffing software, recommendations would be appreciated. Thanks!
Gus
10-17-2007 01:48 PM
I have my port blank, only spanning-tree portfast.
Install ethereal and set to capture packets for your port.
10-17-2007 02:05 PM
Personally I have a PCMCIA NIC installed in my laptop in addition to the onboard NIC. I have all the bindings removed from this 2nd NIC to stop Windows attempting to use it for networking. I use this 2nd NIC as a solely monitor interface. The leaves me able to still telnet etc from the other NIC, plus it stops me capturing packets that the PC is generating.
I use WireShark (what was Ethereal) and think this is an excellent piece of (free) software.
If you are sniffing VLAN Trunks or ports using Voice VLANs be careful with Intel & Broadcom drivers since they strip the VLAN tags off before passing the frames up the stack. Both have registry keys to disable this behaviour.
HTH
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide