Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
3
Replies

Newbie questions on SPAN/RSPAN

Go to solution
Sheen_UK1
Level 1
Level 1

‎06-12-2010 05:11 AM - edited ‎03-06-2019 11:33 AM

Hi

Fairly easy question on SPAN/RSPAN.

I run an application server, App1 on Server1, that is experiencing errors because it seems to dropping the connection to a vendor server on the internet.

I figured I would run Wireshark on the server to figure out what was going wrong, unfortunately we are not really allowed to installed new s/w on live servers.

I've heard that there is a feature of Cisco switches named SPAN where all in/out data on a switchport can be copied over to another. So basically, I can install Wireshark on my PC at work to run Wireshark on, and set up SPAN to copy in/out data on the server's switchport to mine?

Since my PC and the Server1 are on different switches (in fact, different locations connected via a 1 GB WAN Link) we'd actually have to run RSPAN?

My worry is about the level of data going to my PC. There is a good link between the location of my PC and the Server1, but does RSPAN basically copy *all* of the data to the other switch, or is it more efficient than this?

Any help appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎06-12-2010 05:20 AM

Hi

You are correct, you would need to use RSPAN in that scenario.

The switch will indeed copy all data from the source port, it can do filtering based on a few basic parameters such as VLAN, but typically you'd want all traffic anyway

The alternative to RSPAN (if you are concerned about bandwidth impact) would be to set up SPAN locally on the switch (config would also be simpler) and just plug a laptop or something running wireshark into the destination SPAN port that you configure on that switch. You can do the capture and analyse the data later, or you can use the 'ingress' keyword when configuring the destination line of the SPAN config to allow the machine running Wireshark to still participate on the network.

In that last setup, you could then use Remote Desktop, VNC or some other desktop sharing app (MeetingPlace, webex or logmein) to access the Wireshark PC remotely to see the data.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎06-12-2010 05:20 AM

Hi

You are correct, you would need to use RSPAN in that scenario.

The switch will indeed copy all data from the source port, it can do filtering based on a few basic parameters such as VLAN, but typically you'd want all traffic anyway

The alternative to RSPAN (if you are concerned about bandwidth impact) would be to set up SPAN locally on the switch (config would also be simpler) and just plug a laptop or something running wireshark into the destination SPAN port that you configure on that switch. You can do the capture and analyse the data later, or you can use the 'ingress' keyword when configuring the destination line of the SPAN config to allow the machine running Wireshark to still participate on the network.

In that last setup, you could then use Remote Desktop, VNC or some other desktop sharing app (MeetingPlace, webex or logmein) to access the Wireshark PC remotely to see the data.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
Sheen_UK1
Level 1
Level 1
In response to Aaron Harrison

‎06-12-2010 05:27 AM

Thanks Aaron for the prompt reply, much appreciated.

I had a couple of further follow up questions if you didn't mind:

- Is RSPAN typically used over WAN connections?

- Good point about setting up SPAN to a local port on Server1's switch and then connecting a laptop to that port. I have never actually used SPAN/RSPAN with Wireshark before (I've always tended to use Wireshark installed locally on the server itself)....let's say I did have Wireshark installed on a laptop and used the scenario above, is there anything special I need to confiure on Wireshark to tell it to pick up the SPAN'd traffic relating to the server as opposed to any traffic for itself?

Thanks again.

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Sheen_UK1

‎06-12-2010 05:34 AM

Hi

- RSPAN is very rarely used over anything other than a LAN - not just due to bandwidth restraints, but also because it's implemented using specially configured VLANs, and the VLANs don't generally go over WANs. If you are extended the LAN over long distances using LAN-type WAN technologies then you could use it, but generally you'd avoid it.

- No special Wireshark config needed, usually. Some NICs don't support promiscuous capture (picking up packets not address to the Wireshark NIC itself) but this is increasingly rare.

Regards

Aaron

Please rate helpful posts and mark answered questions that you've got a satisfactory response from to help identify useful content in the forums...
https://supportforums.cisco.com/docs/DOC-6212

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card