Solved: SPAN monitor with encapsulation replication on 3560

Kevin Dorrell · ‎02-25-2008

I have a problem with local SPAN on a 3560. I can monitor a trunk port OK:

<code>

monitor session 1 source interface F0/1

monitor session 1 destination interface F0/8

</code>

Using Wireshark on F0/8, I can see the packets on F0/1 OK from both the phone (tagged VLAN) and the PC (untagged native). But of course what I cannot see is the CoS value ... which is what I am interested in. So I do:

<code>

monitor session 1 destination interface F0/8 encapsulation replicate

</code>

Now I don't see any packets at all on the Wireshark. The interface output counters on F0/8 are stll counting packets, but I see nothing on the monitor.

Has anyone else had this experience?

Kevin Dorrell

Luxembourg

andrew.butterworth · ‎02-25-2008

What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.

It you have an Intel NIC try here:

http://www.intel.com/support/network/sb/cs-005897.htm

If its a Broadcom NIC try here:

http://7200emu.hacki.at/viewtopic.php?t=1409

I am not sure about other NIC's.

HTH

Andy

View solution in original post

andrew.butterworth · ‎02-25-2008

What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.

It you have an Intel NIC try here:

http://www.intel.com/support/network/sb/cs-005897.htm

If its a Broadcom NIC try here:

http://7200emu.hacki.at/viewtopic.php?t=1409

I am not sure about other NIC's.

HTH

Andy

Kevin Dorrell · ‎02-25-2008

Thanks for the reply Andy. The NIC was the internal NIC of the laptop. I'll have a look at its spec tomorrow.

If the driver is going to strip the tags off, then that is a pity because I am specificaly interested in monitoring the CoS. The phone is not Cisco, and I want to know whether its internal switch will allow the PC to cheat by putting its own CoS. I don't think the phone has any concept of extending the trust boundary like Cisco phones do.

I suppose I could test the Wireshark by connnecting to a dummy trunk port and see when the traffic looks like.

Kevin Dorrell

Luxembourg

andrew.butterworth · ‎02-26-2008

The two links I posted show you how to edit the Windows registry to make the driver behave as you require - i.e. Don't strip the VLAN Tags off before passing the packet up the stack.

I have tested both the Broadcom settings on my HP NC6000 laptop (using the latest drivers from Broadcoms webiste) and also the Intel settings on an Intel PRO/100+ adapter in a Dell PC.

Andy

Kevin Dorrell · ‎02-27-2008

Thank you Andy, that has solved my problem. In fact, the NIC was neither Intel nor Broadcom - it was a Marvell Yukon. However, your documents did give me the clue about what to Google. In the end, I found details on the Wireshark site itself.

And yes, it did help solve a problem with our QoS. We had a phone gateway that was not marking the traffic at all - neither voice nor signalling, neither CoS nor DSCP. So I've put a default CoS 5 on its switchport until we can get the supplier to look at it.

Thanks again.

Kevin Dorrell

Luxembourg