Monitor VLAN and Wireshark

Unanswered Question
Aug 26th, 2008

Hello

I am not sure I am on the good topics...

This is my problem:

I have configured monitor VLAN on a 2960 switch with Wireshark sniffer packets. When I analyse the trafic I see all the packets are duplicated. Only when the monitoring is configured with VLAN. Have you an idea ?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
garytayl Wed, 08/27/2008 - 05:07

I discovered that on my SPAN a while ago and found out that packet was received on port 1 for vlan x and it was forwarded to port 2 therefore both packets were sent to the destination port reason why sniffer trace was seeing "double packets". It seems to be your case....

Hope it helps

jine Wed, 08/27/2008 - 05:56

I don't understand ... you mean each packets sent on the port x (in a VLAN) is forwarded on all the switch ports (in the same VLAN) ?

Or only for the port 1 and 2 ??

garytayl Wed, 08/27/2008 - 06:18

Oh no sorry for the misunderstanding, what I'm trying to say is that a packet is sent from port 1 and forwarded to port 2 (not all the switch ports)all, under same vlan. Since we are monitoring vlan x, we are going to see the packet that is coming out of port 1 and the sameone but received on port 2.

Giuseppe Larosa Wed, 08/27/2008 - 06:16

Hello Jose,

in some SPAN scenarios is normal to receive two copies of each frame on the sniffer port.

I've seen this also on CatOS 6500 for example.

Hope to help

Giuseppe

jine Wed, 08/27/2008 - 06:39

Hello Giuseppe

Ok, I accept each frame is duplicated ... but what is the mecanism ? Why I have this problem only with a copie of VLAN ? The packets sniffer doesn't see some duplicated packets when I monitor some ports ...

Thanks

Giuseppe Larosa Thu, 08/28/2008 - 10:59

Hello Jose,

let's first consider SPAN of a physical port: the destination port receives a copy of all frames sent or received on the source port.

In this case the sniffer sees one copy of each frame. This is reasonable.

Now, let's move to SPAN with a source VLAN : what does it mean this ? Let's consider for simplicity Vlan 10 with 4 access ports F0/1-4.

On F0/1 there is PC1 on F0/4 there's R1:f0 a router tha provides the default gateway for PCs in Vlan 10.

So what happens ?

PC1 sends a frame on port F0/1 with destination R1:f0 on port F0/4.

If SPAN copies on monitor port all received and sent frames of ports that are member of Vlan 10 we get :

one copy : frame received on F0/1

second copy:frame sent out F0/4

For efficiency reasons the SPAN collect frames on all ports members of VLan 10 in parallel without trying to correlate and send it to the destination up to dest port wire speed.

I think this can explain why in some scenarios we see duplicated frames on the monitor port.

Hope to help

Giuseppe

jine Thu, 08/28/2008 - 23:09

Hello Giuseppe

thank you for yours explanation. I have understood !

Good Week end

Rolf Fischer Thu, 08/28/2008 - 12:00

Giuseppe explained very well, I just can offer a short summing-up.

You typically see every packet duplicated, when source and destination are in the same VLAN.

If you mirror the whole VLAN without using the rx- or tx-keyword, every "entering" frame and every "leaving" frame of that VLAN will be monitored.

A frame is sent from Host1 to the ingress interface of the switch and here we also enter the VLAN. The frame is duplicated by the switch and send from its egress interface to Host2 - and "leaves" here the VLAN.

If both interface are in the same VLAN, you capture both (identical) frames.

If the interfaces are in different VLANs, you only capture 1 frame.

The solution in your case should be using "tx" or "rx" in addition of the "monitor session ..." command.

Actions

This Discussion