09-17-2013 08:29 AM - edited 03-07-2019 03:31 PM
Hi,
We want to sniff some traffic that is passing between two nodes in our network.
The flow will look like this;
Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
Controller A side belongs to us, hence we can only put sniffing on our end.
Please help to understand how to setup span port on a laptop in this setup.
If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
Appreciate all inputs.
Solved! Go to Solution.
09-17-2013 09:28 AM
1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...
Please check the cpu utilization before doing this...
09-17-2013 09:28 AM
1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...
Please check the cpu utilization before doing this...
09-17-2013 05:58 PM
Thanks.
The controller is connected as etherchannel to the core switch, so should the destination port be port channel?
should it be like this:
source port ( gi1/0/1 & gi2/0/1 - Po21 ) - controller connected port
destination port ( gi1/0/5 ) - laptop port
monitor session 1 source interface Po21
monitor session 1 destination interface gi1/0/5
Would this be correct ?
09-17-2013 07:13 PM
That's correct, the only thing I might note is to decide if you want to collect both rx and tx data? By leaving it default, as you did above, it will capture"both" directions. Capturing both is fine, but it will increase your wireshark capture size. I would also recommend applying a wireshark filter to only see the specific traffic you are interested in. A simple Google search will give you more info on wireshark filters. Lastly, remember to remove the monitor session once you are done. We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed.
HTH
Luke
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide