×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

traffic sniffing on switch ports not working _2950

Unanswered Question
Sep 9th, 2003
User Badges:

Here`s the situation: Two PCs are sending traffic each other and i have this special application running in a third PC where i sniff traffic between those machines and use the packets for a special application. I bought a cisco switch 2950 and connected the three devices to it but the third machine cant sniff the comunication among the other two. Used SPAN sending traffic to the third PC port but doesnt connect to network. Please need support...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
r.trejo Wed, 09/10/2003 - 12:28
User Badges:

I use a sniffer software running on Red hat. by the way, i was using a normal 3com hub before and it sniffed, now with the switch is not. Also i have not configured any VLAN to segment ports yet in my 2950.

Yes, i specified the source and destination but Red Hat doesnt even connects to the switch. I read that the destination port becomes a different port and a worksation cant be plugged to it only special network analyzers.

t.baranski Wed, 09/10/2003 - 16:50
User Badges:
  • Bronze, 100 points or more

Destination SPAN ports on 2950's can't receive packets like normal ports can, but I think you should still get a link light when connecting a device. Is this not happening? If not, does the Linux box get a link light when it's connected to a normal port?


One thing that could be causing a problem is that when SPANing packets the 2950, for whatever reason, inserts VLAN tags even when the switch is using only the default VLAN. This is not considered normal behavior (by me anyway) and it confuses some sniffers that can't parse VLAN tags, preventing them from being able to recognize the packets properly.

r.trejo Wed, 09/10/2003 - 17:05
User Badges:

The eth0 interface in linux is completely out, can`t ping ot be pinged from other PC.

a)Is there a way to untag(or around tagging) the SPAN packets and leave them intact so i avoid re-programming the sniffer to these new form packets?


b)the problem remains also if i leave the two PCs in the hub appart and only the linux to the switch . in this case there`s no tagging but still cant sniff packets from linux in switch to PC`s in hub????


c)is there a way to degrade or transform a switch port to a hub port?

robho Wed, 09/10/2003 - 19:55
User Badges:

Hi,


If you are running a version prior to 12.1(11)EA1, the switch will send dot1Q tagged packets and the sniffer may not recognize it (usually the case). I suggest loading the latest release, 12.1(14)EA1, as this behavior is changed and will send untagged frames.


-Robert

t.baranski Thu, 09/11/2003 - 16:37
User Badges:
  • Bronze, 100 points or more

Thanks for the information on tagged packets -- I wasn't aware it had been fixed.


The issue with pings to and from the sniffing device is expected behavior. Unless this has been changed via the new software release, Cat2950's can't receive packets on SPAN ports. SPAN ports can only transmit SPAN'd packets, so you're unable to talk to the sniffing interface to manage it. The common solution is to add a second NIC to the device and plug it into another port on the switch. This second NIC then gets an IP address so that you can manage the device, while the sniffing interface operates without an IP address (in "stealth mode").

r.trejo Fri, 09/12/2003 - 10:45
User Badges:

I thought before about a second NIC for Linux but i think i still have to reprogramm my sniffer to filter the SPAN tagging in the packets sent to the monitor port... don`t i?

t.baranski Fri, 09/12/2003 - 15:54
User Badges:
  • Bronze, 100 points or more

If your sniffer will be confused by the VLAN tags embedded into the packets, you'll either need to change the code to handle the tags or upgrade the switch to the aformentioned new software version.

r.trejo Fri, 09/19/2003 - 09:09
User Badges:

ok, could somebody tell me links where i can read deep information about how packets are tagged by the 2950 switch?


i really need to understand the packet handling and the SPAN packets.


thanx.

t.baranski Fri, 09/19/2003 - 16:19
User Badges:
  • Bronze, 100 points or more

I believe they're tagged in 802.1q format. Google around for 802.1q VLAN tags and you should be able to find the details.

Actions

This Discussion