cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
57156
Views
0
Helpful
5
Replies

how do we use wireshark on cisco networks

sarahr202
Level 5
Level 5

Hi every body

I was toying around with wireshark, when i noticed remote packet capture option.  I googled it  and found  when we have to laod remote packet capture protocol on  the target node.

Here is my Scenario.

we have cisco networks , routers and switches  and we want to  capture the packet entering specific router port.    How  do we do that using  wireshark?

do we have to download the above mentioned program on the router?  how do we do that,?

The only thing i know is to use ios to configure routers  .But  do we load  remote packet capture protocol so we can remotely capture packets entering router specific interface ?

thanks

3 Accepted Solutions

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

On switches you use SPAN or RSPAN and on routers you can use RITE or EPC

Here are the links:

1) SPAN-RSPAN  http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swspan.html

2) RITE                http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

3) EPC       

        http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

hobbe
Level 7
Level 7

To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.

The command for this on fx a 3750 would be something like this)

monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)

and then you set up the port you want your wireshark to be connected to

monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)

A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.

The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.

Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.

you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.

this can be done through the use of RSPAN.

Good luck

HTH

View solution in original post

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

>> do we have to download the above mentioned program on the router?  how do we do that,?

no this is not possible as IOS is a closed system we cannot install a program over it.

there are some options explained by Alain

the typical use we do is:

we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).

Hope to help

Giuseppe

View solution in original post

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

On switches you use SPAN or RSPAN and on routers you can use RITE or EPC

Here are the links:

1) SPAN-RSPAN  http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swspan.html

2) RITE                http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

3) EPC       

        http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.

Don't forget to rate helpful posts.

hobbe
Level 7
Level 7

To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.

The command for this on fx a 3750 would be something like this)

monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)

and then you set up the port you want your wireshark to be connected to

monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)

A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.

The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.

Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.

you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.

this can be done through the use of RSPAN.

Good luck

HTH

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

>> do we have to download the above mentioned program on the router?  how do we do that,?

no this is not possible as IOS is a closed system we cannot install a program over it.

there are some options explained by Alain

the typical use we do is:

we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).

Hope to help

Giuseppe

Hello Hobbe/Giuseppe,

  I have  a  doubt in the above replies .  Please find the beow statement.

" The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends  "

correct me  if i understood it wrongly .  It says like the source  port will not be actively involved in any switching as other port in the same switch where we not enabled the SPAN.

Does it mean it will not switch  traffic ?


Can we use it in live or production traffic for  testing ?

Regards,

Sinjish.K

Hello Sinjish,

Hobbe meant a SPAN destination port, where the PC with wireshark would be connected to. This destination port will only be able to send traffic to connected wireshark but not in other direction.

Source port will function properly with no service impact to switching.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco