Is it possible for a SPAN session to drop/miss traffic?

Unanswered Question
Feb 14th, 2008


I'm looking into and odd problem here. It all started when I realized our IDSM was randomly NOT triggering on malicious traffic flowing through a trunked interface. This interface handles all our VLANs but only three of those are filtered on the SPAN session sending traffic to the IDSM.

As a troubleshooting step I set the SPAN session destination to a sniffer and sent some nessus and malicious web traffic over the trunk...some was seen on the sniffer but not all.

What could be the problem here? We have a 6513 with SUP720 and DFC cards, is it possible that some traffic is missed by the SPAN session and sent directly to the ports by the DFC? I haven't found any clues in the IDSM manuals or the IOS guide for our 6513.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 02/14/2008 - 08:22


Without knowing any details of your environment I will suggest that one way that traffic can be dropped in a SPAN session is to oversubscribe the SPAN destination. For example if you have 3 source ports with each being 100 Mb and a single SPAN port also at 100 Mb then it is possible to generate more traffic to SPAN than the SPAN port can handle and some traffic will be dropped.



hoffa2000 Thu, 02/14/2008 - 10:26

Thanks for your answer. I agree it's not easy to solve these things without prior knowledge. To answer your suggestion of oversubscrubtion, I find that unlikely in my case. The trunk port being monitored IS a 1gb port but not at more than 20-30% utilization and the destination port is also a 1gb port.



This Discussion