Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1374
Views
5
Helpful
3
Replies

applying span port for sniffer

Go to solution
suthomas1
Level 6
Level 6

‎09-17-2013 08:29 AM - edited ‎03-07-2019 03:31 PM

Hi,

We want to sniff some traffic that is passing between two nodes in our network.

The flow will look like this;

Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)

Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.

Controller A side belongs to us, hence we can only put sniffing on our end.

Please help to understand how to setup span port on a laptop in this setup.

If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?

Appreciate all inputs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karan Puri
Level 1
Level 1

‎09-17-2013 09:28 AM

1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...

Please check the cpu utilization before doing this...

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karan Puri
Level 1
Level 1

‎09-17-2013 09:28 AM

1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...

Please check the cpu utilization before doing this...

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Karan Puri

‎09-17-2013 05:58 PM

Thanks.

The controller is connected as etherchannel to the core switch, so should the destination port be port channel?

should it be like this:

source port ( gi1/0/1 & gi2/0/1 - Po21 ) - controller connected port

destination port (  gi1/0/5 ) - laptop port

monitor session 1 source interface Po21

monitor session 1 destination interface gi1/0/5

Would this be correct ?

0 Helpful

Go to solution
Richard Primm
Cisco Employee
Cisco Employee
In response to suthomas1

‎09-17-2013 07:13 PM

That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 

HTH

Luke

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card