Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3044
Views
0
Helpful
4
Replies

Catalyst 3750 SPAN Question

QuikeyMan_2
Level 1
Level 1

‎08-31-2010 11:06 AM - edited ‎03-06-2019 12:45 PM

In hopes to monitor all packet activity on a Catalyst 3750 switch, I have created a SPAN where I have been attempting to use the destination port for packet sniffing.  The issue is that I can only see broadcasts as well as inbound/outbound activity from the NIC on the system I have been using.  The SPAN was setup as follows:

monitor session 1 source vlan 1 both

montior session 1 destiantion interface Gi1/0/11

Note that this network consists of one vlan, vlan 1.  I have also tried the following setup with the same result as the first:

monitor session 1 source interface Gi1/0/1 - 10 both

monitor session 1 source interface Gi1/0/12 - 24 both

monitor session 1 destination interface Gi1/0/11

Am I missing a step?  Any relevant infromation would be appreciated.  Thanks.

Labels:
0 Helpful
4 Replies 4

QuikeyMan_2
Level 1
Level 1

‎08-31-2010 01:34 PM

show monitor session 1 detail

Session 1

---------

Type              : Local Session

Source Ports      :

RX Only       : None

TX Only       : None

Both          : Gi1/0/1-10,Gi1/0/12-24

Source VLANs      :

RX Only       : None

TX Only       : None

Both          : None

Source RSPAN VLAN : None

Destination Ports : Gi1/0/11

Encapsulation : Native

Ingress : Disabled

Filter VLANs      : None

Dest RSPAN VLAN   : None

0 Helpful

Siddharth Chandrachud
Cisco Employee
Cisco Employee
In response to QuikeyMan_2

‎08-31-2010 02:47 PM

Hello,

Please send me the output of :

show vlan

show int Gi1/0/11

show int Gi1/0/1

show int Gi1/0/10

Sid Chandrachud

Cisco TAC

0 Helpful

QuikeyMan_2
Level 1
Level 1
In response to Siddharth Chandrachud

‎09-01-2010 05:42 AM

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3

                                                Gi1/0/4, Gi1/0/5, Gi1/0/6

                                                Gi1/0/7, Gi1/0/8, Gi1/0/9

                                                Gi1/0/10, Gi1/0/11, Gi1/0/12

                                                Gi1/0/13, Gi1/0/14, Gi1/0/15

                                                Gi1/0/16, Gi1/0/17, Gi1/0/18

                                                Gi1/0/19, Gi1/0/20, Gi1/0/21

                                                Gi1/0/22, Gi1/0/23, Gi1/0/24

                                                Gi1/0/25, Gi1/0/26, Gi1/0/27

                                                Gi1/0/28, Gi1/0/29, Gi1/0/30

                                                Gi1/0/31, Gi1/0/32, Gi1/0/33

                                                Gi1/0/34, Gi1/0/35, Gi1/0/36

                                                Gi1/0/37, Gi1/0/38, Gi1/0/39

                                                Gi1/0/40, Gi1/0/41, Gi1/0/42

                                                Gi1/0/43, Gi1/0/44, Gi1/0/45

                                                Gi1/0/46, Gi1/0/47, Gi1/0/48

                                                Gi1/0/49, Gi1/0/50, Gi1/0/51

                                                Gi1/0/52, Gi2/0/1, Gi2/0/2

                                                Gi2/0/3, Gi2/0/4, Gi2/0/5

                                                Gi2/0/6, Gi2/0/7, Gi2/0/8

         

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

                                                Gi2/0/9, Gi2/0/10, Gi2/0/11

                                                Gi2/0/12, Gi2/0/13, Gi2/0/14

                                                Gi2/0/15, Gi2/0/16, Gi2/0/17

                                                Gi2/0/18, Gi2/0/19, Gi2/0/20

                                                Gi2/0/21, Gi2/0/22, Gi2/0/23

                                                Gi2/0/24, Gi2/0/25, Gi2/0/26

                                                Gi2/0/27, Gi2/0/28

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0  

1002 fddi  101002     1500  -      -      -        -    -        0      0  

1003 tr    101003     1500  -      -      -        -    -        0      0  

1004 fdnet 101004     1500  -      -      -        ieee -        0      0  

1005 trnet 101005     1500  -      -      -        ibm  -        0      0  

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

GigabitEthernet1/0/11 is up, line protocol is down (monitoring)

  Hardware is Gigabit Ethernet, address is 0015.624d.0e8b (bia 0015.624d.0e8b)

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 15:46:40, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 1025000 bits/sec, 163 packets/sec

     250630515 packets input, 1048365771 bytes, 0 no buffer

     Received 1487 broadcasts (0 multicast)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     521917037 packets output, 2714351526 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

GigabitEthernet1/0/1 is down, line protocol is down (notconnect)

  Hardware is Gigabit Ethernet, address is 0015.624d.0e81 (bia 0015.624d.0e81)

  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output never, output hang never

  Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicast)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

GigabitEthernet1/0/10 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet, address is 0015.624d.0e8a (bia 0015.624d.0e8a)

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:55, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     156956949 packets input, 1361374486 bytes, 0 no buffer

     Received 33932684 broadcasts (0 multicast)

     0 runts, 0 giants, 0 throttles

     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 221537 multicast, 0 pause input

     0 input packets with dribble condition detected

     263045511 packets output, 4168750286 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

0 Helpful

Siddharth Chandrachud
Cisco Employee
Cisco Employee
In response to QuikeyMan_2

‎09-01-2010 09:52 AM

Hello,

a. The span destination port seems to forwarding traffic correctly in outbound direction.

GigabitEthernet1/0/11 is up, line protocol is down (monitoring)

:           :                :            :

  5 minute output rate 1025000 bits/sec, 163 packets/sec    <-----

  :          :               :

521917037 packets output, 2714351526 bytes, 0 underruns

b. The issue most likely is the NIC on the workstation used to see the capture traffic.

The NIC card needs to be in promiscous mode for it to accept all traffic coming in on the interface.

Otherwise, it will only accept frames destined to it.

http://www.wireshark.org/faq.html#q7.1

Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see.

Wireshark will try to put the interface on which it's capturing into promiscuous mode unless the "Capture packets in promiscuous mode" option is turned off in the "Capture Options" dialog box, and TShark will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified.

However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.

c. Check the host settings. Try using a different machine to check the captured packets.

Sid Chandrachud

Cisco TAC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card