how do we use wireshark on cisco networks

Answered Question
Jan 4th, 2011

Hi every body

I was toying around with wireshark, when i noticed remote packet capture option.  I googled it  and found  when we have to laod remote packet capture protocol on  the target node.

Here is my Scenario.

we have cisco networks , routers and switches  and we want to  capture the packet entering specific router port.    How  do we do that using  wireshark?

do we have to download the above mentioned program on the router?  how do we do that,?

The only thing i know is to use ios to configure routers  .But  do we load  remote packet capture protocol so we can remotely capture packets entering router specific interface ?

thanks

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 3 years 3 months ago

Hello Sarah,

>> do we have to download the above mentioned program on the router?  how do we do that,?

no this is not possible as IOS is a closed system we cannot install a program over it.

there are some options explained by Alain

the typical use we do is:

we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).

Hope to help

Giuseppe

Correct Answer by hobbe about 3 years 3 months ago

To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.

The command for this on fx a 3750 would be something like this)

monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)

and then you set up the port you want your wireshark to be connected to

monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)

A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.

The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.

Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.

you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.

this can be done through the use of RSPAN.

Good luck

HTH

Correct Answer by Cadet Alain about 3 years 3 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Cadet Alain Tue, 01/04/2011 - 05:29
Correct Answer
hobbe Tue, 01/04/2011 - 06:29

To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.

The command for this on fx a 3750 would be something like this)

monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)

and then you set up the port you want your wireshark to be connected to

monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)

A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.

The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.

Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.

you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.

this can be done through the use of RSPAN.

Good luck

HTH

Correct Answer
Giuseppe Larosa Tue, 01/04/2011 - 12:18

Hello Sarah,

>> do we have to download the above mentioned program on the router?  how do we do that,?

no this is not possible as IOS is a closed system we cannot install a program over it.

there are some options explained by Alain

the typical use we do is:

we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).

Hope to help

Giuseppe

k_sinjish Tue, 05/29/2012 - 23:56

Hello Hobbe/Giuseppe,

  I have  a  doubt in the above replies .  Please find the beow statement.

" The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends  "

correct me  if i understood it wrongly .  It says like the source  port will not be actively involved in any switching as other port in the same switch where we not enabled the SPAN.

Does it mean it will not switch  traffic ?


Can we use it in live or production traffic for  testing ?

Regards,

Sinjish.K

Ivan Shirshin Wed, 05/30/2012 - 00:03

Hello Sinjish,

Hobbe meant a SPAN destination port, where the PC with wireshark would be connected to. This destination port will only be able to send traffic to connected wireshark but not in other direction.

Source port will function properly with no service impact to switching.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Actions

Login or Register to take actions

This Discussion

Posted January 4, 2011 at 5:17 AM
Stats:
Replies:5 Avg. Rating:5
Views:7604 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
195
80
59
57
57