Fairly easy question on SPAN/RSPAN.
I run an application server, App1 on Server1, that is experiencing errors because it seems to dropping the connection to a vendor server on the internet.
I figured I would run Wireshark on the server to figure out what was going wrong, unfortunately we are not really allowed to installed new s/w on live servers.
I've heard that there is a feature of Cisco switches named SPAN where all in/out data on a switchport can be copied over to another. So basically, I can install Wireshark on my PC at work to run Wireshark on, and set up SPAN to copy in/out data on the server's switchport to mine?
Since my PC and the Server1 are on different switches (in fact, different locations connected via a 1 GB WAN Link) we'd actually have to run RSPAN?
My worry is about the level of data going to my PC. There is a good link between the location of my PC and the Server1, but does RSPAN basically copy *all* of the data to the other switch, or is it more efficient than this?
Any help appreciated!
You are correct, you would need to use RSPAN in that scenario.
The switch will indeed copy all data from the source port, it can do filtering based on a few basic parameters such as VLAN, but typically you'd want all traffic anyway
The alternative to RSPAN (if you are concerned about bandwidth impact) would be to set up SPAN locally on the switch (config would also be simpler) and just plug a laptop or something running wireshark into the destination SPAN port that you configure on that switch. You can do the capture and analyse the data later, or you can use the 'ingress' keyword when configuring the destination line of the SPAN config to allow the machine running Wireshark to still participate on the network.
In that last setup, you could then use Remote Desktop, VNC or some other desktop sharing app (MeetingPlace, webex or logmein) to access the Wireshark PC remotely to see the data.
Please rate helpful posts...