02-25-2008 08:04 AM - edited 03-05-2019 09:21 PM
I have a problem with local SPAN on a 3560. I can monitor a trunk port OK:
<code>
monitor session 1 source interface F0/1
monitor session 1 destination interface F0/8
</code>
Using Wireshark on F0/8, I can see the packets on F0/1 OK from both the phone (tagged VLAN) and the PC (untagged native). But of course what I cannot see is the CoS value ... which is what I am interested in. So I do:
<code>
monitor session 1 destination interface F0/8 encapsulation replicate
</code>
Now I don't see any packets at all on the Wireshark. The interface output counters on F0/8 are stll counting packets, but I see nothing on the monitor.
Has anyone else had this experience?
Kevin Dorrell
Luxembourg
Solved! Go to Solution.
02-25-2008 09:02 AM
What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.
It you have an Intel NIC try here:
http://www.intel.com/support/network/sb/cs-005897.htm
If its a Broadcom NIC try here:
http://7200emu.hacki.at/viewtopic.php?t=1409
I am not sure about other NIC's.
HTH
Andy
02-25-2008 09:02 AM
What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.
It you have an Intel NIC try here:
http://www.intel.com/support/network/sb/cs-005897.htm
If its a Broadcom NIC try here:
http://7200emu.hacki.at/viewtopic.php?t=1409
I am not sure about other NIC's.
HTH
Andy
02-25-2008 03:01 PM
Thanks for the reply Andy. The NIC was the internal NIC of the laptop. I'll have a look at its spec tomorrow.
If the driver is going to strip the tags off, then that is a pity because I am specificaly interested in monitoring the CoS. The phone is not Cisco, and I want to know whether its internal switch will allow the PC to cheat by putting its own CoS. I don't think the phone has any concept of extending the trust boundary like Cisco phones do.
I suppose I could test the Wireshark by connnecting to a dummy trunk port and see when the traffic looks like.
Kevin Dorrell
Luxembourg
02-26-2008 12:47 AM
The two links I posted show you how to edit the Windows registry to make the driver behave as you require - i.e. Don't strip the VLAN Tags off before passing the packet up the stack.
I have tested both the Broadcom settings on my HP NC6000 laptop (using the latest drivers from Broadcoms webiste) and also the Intel settings on an Intel PRO/100+ adapter in a Dell PC.
Andy
02-27-2008 07:44 AM
Thank you Andy, that has solved my problem. In fact, the NIC was neither Intel nor Broadcom - it was a Marvell Yukon. However, your documents did give me the clue about what to Google. In the end, I found details on the Wireshark site itself.
And yes, it did help solve a problem with our QoS. We had a phone gateway that was not marking the traffic at all - neither voice nor signalling, neither CoS nor DSCP. So I've put a default CoS 5 on its switchport until we can get the supplier to look at it.
Thanks again.
Kevin Dorrell
Luxembourg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide