Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Monitor VLAN and Wireshark

Hello

I am not sure I am on the good topics...

This is my problem:

I have configured monitor VLAN on a 2960 switch with Wireshark sniffer packets. When I analyse the trafic I see all the packets are duplicated. Only when the monitoring is configured with VLAN. Have you an idea ?

Thanks

8 REPLIES
Bronze

Re: Monitor VLAN and Wireshark

I discovered that on my SPAN a while ago and found out that packet was received on port 1 for vlan x and it was forwarded to port 2 therefore both packets were sent to the destination port reason why sniffer trace was seeing "double packets". It seems to be your case....

Hope it helps

New Member

Re: Monitor VLAN and Wireshark

I don't understand ... you mean each packets sent on the port x (in a VLAN) is forwarded on all the switch ports (in the same VLAN) ?

Or only for the port 1 and 2 ??

Bronze

Re: Monitor VLAN and Wireshark

Oh no sorry for the misunderstanding, what I'm trying to say is that a packet is sent from port 1 and forwarded to port 2 (not all the switch ports)all, under same vlan. Since we are monitoring vlan x, we are going to see the packet that is coming out of port 1 and the sameone but received on port 2.

Hall of Fame Super Silver

Re: Monitor VLAN and Wireshark

Hello Jose,

in some SPAN scenarios is normal to receive two copies of each frame on the sniffer port.

I've seen this also on CatOS 6500 for example.

Hope to help

Giuseppe

New Member

Re: Monitor VLAN and Wireshark

Hello Giuseppe

Ok, I accept each frame is duplicated ... but what is the mecanism ? Why I have this problem only with a copie of VLAN ? The packets sniffer doesn't see some duplicated packets when I monitor some ports ...

Thanks

Hall of Fame Super Silver

Re: Monitor VLAN and Wireshark

Hello Jose,

let's first consider SPAN of a physical port: the destination port receives a copy of all frames sent or received on the source port.

In this case the sniffer sees one copy of each frame. This is reasonable.

Now, let's move to SPAN with a source VLAN : what does it mean this ? Let's consider for simplicity Vlan 10 with 4 access ports F0/1-4.

On F0/1 there is PC1 on F0/4 there's R1:f0 a router tha provides the default gateway for PCs in Vlan 10.

So what happens ?

PC1 sends a frame on port F0/1 with destination R1:f0 on port F0/4.

If SPAN copies on monitor port all received and sent frames of ports that are member of Vlan 10 we get :

one copy : frame received on F0/1

second copy:frame sent out F0/4

For efficiency reasons the SPAN collect frames on all ports members of VLan 10 in parallel without trying to correlate and send it to the destination up to dest port wire speed.

I think this can explain why in some scenarios we see duplicated frames on the monitor port.

Hope to help

Giuseppe

New Member

Re: Monitor VLAN and Wireshark

Hello Giuseppe

thank you for yours explanation. I have understood !

Good Week end

New Member

Re: Monitor VLAN and Wireshark

Giuseppe explained very well, I just can offer a short summing-up.

You typically see every packet duplicated, when source and destination are in the same VLAN.

If you mirror the whole VLAN without using the rx- or tx-keyword, every "entering" frame and every "leaving" frame of that VLAN will be monitored.

A frame is sent from Host1 to the ingress interface of the switch and here we also enter the VLAN. The frame is duplicated by the switch and send from its egress interface to Host2 - and "leaves" here the VLAN.

If both interface are in the same VLAN, you capture both (identical) frames.

If the interfaces are in different VLANs, you only capture 1 frame.

The solution in your case should be using "tx" or "rx" in addition of the "monitor session ..." command.

1617
Views
5
Helpful
8
Replies