Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

applying span port for sniffer

Hi,

We want to sniff some traffic that is passing between two nodes in our network.

The flow will look like this;

Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)

Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.

Controller A side belongs to us, hence we can only put sniffing on our end.

Please help to understand how to setup span port on a laptop in this setup.

If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?

Appreciate all inputs.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re:applying span port for sniffer

1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...

Please check the cpu utilization before doing this...

3 REPLIES
New Member

Re:applying span port for sniffer

1st u have to connect the laptop to your core switch...
Source port = port to which controller is connected
Destination port = port to which your laptop connected..
So every copy of packet which will hit port to wireless controller is connected will send to your laptop.. run wireshark n enjoy...

Please check the cpu utilization before doing this...

New Member

applying span port for sniffer

Thanks.

The controller is connected as etherchannel to the core switch, so should the destination port be port channel?

should it be like this:

source port ( gi1/0/1 & gi2/0/1 - Po21 ) - controller connected port

destination port (  gi1/0/5 ) - laptop port

monitor session 1 source interface Po21

monitor session 1 destination interface gi1/0/5

Would this be correct ?

Cisco Employee

applying span port for sniffer

That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 

HTH

Luke

448
Views
5
Helpful
3
Replies
CreatePlease login to create content