Solved: Packet capture on cisco 3800

suthomas1 · ‎05-29-2017

Hello,

We were doing a wireshark capture on one of the 3800 (all 1G sfp slots). We were using one of the ports with GLC-T to capture traffic on a specific vlan as the layer 3 resides on this switch.

On connecting our laptop & putting in the required span configurations, the ethernet port of the laptop didn't appear to be connecting however the captures were happening. Does the laptop connected port need any specific configuration (eg. an IP or vlan on it )?

Thanks in advance.

Reza Sharifi · ‎05-29-2017

Hi,

Have a look. Here is an example with source and destination:

monitor session 1 source interface gigabitEthernet 1/0/2

monitor session 1 destination interface gigabitEthernet 1/0/3

Destination port is port your pc/laptop connected to running Wireshark.

Link for 3850 series:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg/b_nm_3se_3850_cg_chapter_0111.html#d35770e1987a1635

HTH

View solution in original post

Reza Sharifi · ‎05-29-2017

Hi,

Yes, the laptop needs to have an IP address to connect to the network. You can put the laptop in the same subnet as the source or could be in a different vlan/subnet.

HTH

suthomas1 · ‎05-29-2017

Thanks. i see, i was under the impression that the port connected to laptop (with wireshark) only needs switchport & switchport monitor command.

I also noticed the following when connected to it. there was no option of switchport monitor command. Please help.

sw-loc1(config)#int GigabitEthernet1/0/2
sw-loc1(config-if)#shu
sw-loc1(config-if)#switchport monito
sw-loc1(config-if)#switchport ?
access         Set access mode characteristics of the interface
autostate      Include or exclude this port from vlan link up calculation
backup         Set backup for the interface
block          Disable forwarding of unknown uni/multi cast addresses
host           Set port host
mode           Set trunking mode of the interface
nonegotiate    Device will not engage in negotiation protocol on this interface
port-security Security related command
priority       Set appliance 802.1p priority
protected      Configure an interface to be a protected port
trunk          Set trunking characteristics of the interface
voice          Voice appliance attributes

Reza Sharifi · ‎05-29-2017

Hi,

Have a look. Here is an example with source and destination:

monitor session 1 source interface gigabitEthernet 1/0/2

monitor session 1 destination interface gigabitEthernet 1/0/3

Destination port is port your pc/laptop connected to running Wireshark.

Link for 3850 series:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg/b_nm_3se_3850_cg_chapter_0111.html#d35770e1987a1635

HTH

suthomas1 · ‎05-30-2017

Thanks.

In my case, the source is an entire vlan.

so, monitor session 1 source vlan 86 both

the network uses dhcp ip's. So should the destination port (connecting the wireshark laptop) be just configured as access vlan for that dhcp network so it could get ip?

a.alekseev · ‎05-30-2017

leave default configuration port for destination port.

you cannot use monitoring destination port for remote access.

If you need manage your laptop so you need additional physical interface, wireless for example.