Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

remote port monitoring using wireshark.

Hi everybody.

I encountered a situation where i had to monitor traffic on a switch port using wireshark as shown below:

h1-------f1/1--SW1----------rest of network

                    |

                   f1/2

                    |

               PC wireshark

Here source port and destination  port both are on the same switch.I used these commands on sw1 and I was able to capture traffic :

monitor session 1 source interface FastEthernet1/1 both
monitor session 1 destination interface FastEthernet1/2

What about if the source port is located on different switch as shown below:

h1----f1/1-----sw1---f1/3--------------sw2----Router--------Sw3----------rest of network.

                                                                           |

                                                                       f1/2

                                                                           |

                                                                    Wireshark Pc

We wish to capture traffic sw1's f1/1 using wireshark connected to sw3's f1/2.

Can I still do this on sw1:

monitor session 1 source interface FastEthernet1/1 both
monitor session 1 destination interface FastEthernet1/2


If yes, How does Sw1 determine the destination port F1/2 is located on different switch sw3?
If not ,How can we monitor traffic using wireshark in above case?

Thanks and have a great weekend.

4 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: remote port monitoring using wireshark.

You can use RSPAN, if the both switches are in the same Layer 2 network(All participating switches must be trunk-connected at Layer 2.)

and

ERSPAN if they seperated by a Layer 3 device.---ERSPAN only supported on 6500 switches.

RSPAN config

SW1(config)# vlan 100

SW1(config-vlan)# remote span

SW1(config-vlan)# end

SW3(config)# vlan 100

SW3(config-vlan)# remote span

SW3(config-vlan)# end

RSPAN source session

SW1(config)# monitor session 1 source interface f1/1 both

SW1(config)# monitor session 1 destination remote vlan 100

Specifying Destination Port

SW3(config)# monitor session 2 source remote vlan 100

SW3(config)# monitor session 2 destination interface f1/2

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059619

Siddhartha
Hall of Fame Super Silver

Re: remote port monitoring using wireshark.

Hello Sarah,

if my understanding is correct there is a router in the path, so RSPAN should not apply to your case as SW3 has no L2 link to the other switches.

Besides this, the remote span vlan has to be configured on all switches in the path, so if the router was not present, also SW2 should have the vlan configured as remote span and you could use RSPAN.

As explained in the other post if SW1 and SW3 are C6500 you could use ERSPAN to build a GRE tunnel between the two devices in order to send the captured traffic over an IP internetwork.

The link provided should give you enough information also for ERSPAN.

If your switches do not support ERSPAN I'm afraid you cannot achieve the desired setup.

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: remote port monitoring using wireshark.

Hello Sarah,

in this case you can use RSPAN as no routers are on the path and you have end-to-end L2 connectivity.

It is not a problem what Vlan the destination port belongs to as actually it is configured to be the destination of a SPAN session.

It is like if you have removed the destination port and put it in a special state ( to be noted the destination port is considered  down (monitoring) by the switch and without additional commands you cannot use it for accessing the network) dedicated to this monitoring task.

To be noted the RSPAN vlan has to be permitted on all trunk links between switches on the path and it has to be an unused dedicated vlan for the special configuration that disables MAC address learning.

No  access ports should be member of RSPAN Vlan for the same reason in any switch on the path.

The RSPAN vlan provides a L2 path between the first and the last switch and allows to carry the captured traffic to the destination port on the destination switch.

Hope to help

Giuseppe

Hall of Fame Super Silver

remote port monitoring using wireshark.

Hello Sarah,

your understanding is correct we don't need a remote span Vlan because all ports are in the same switch and this is called Local SPAN.

When you use remote span the remote span vlan has to be configured also on switches in the middle like SW2 as explained in my previous posts and you have to provide a L2 path for remote span vlan over the network.

Have a nice week you too.

Thanks

Hope to help

Giuseppe

6 REPLIES
Silver

Re: remote port monitoring using wireshark.

You can use RSPAN, if the both switches are in the same Layer 2 network(All participating switches must be trunk-connected at Layer 2.)

and

ERSPAN if they seperated by a Layer 3 device.---ERSPAN only supported on 6500 switches.

RSPAN config

SW1(config)# vlan 100

SW1(config-vlan)# remote span

SW1(config-vlan)# end

SW3(config)# vlan 100

SW3(config-vlan)# remote span

SW3(config-vlan)# end

RSPAN source session

SW1(config)# monitor session 1 source interface f1/1 both

SW1(config)# monitor session 1 destination remote vlan 100

Specifying Destination Port

SW3(config)# monitor session 2 source remote vlan 100

SW3(config)# monitor session 2 destination interface f1/2

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059619

Siddhartha
Bronze

remote port monitoring using wireshark.

Thanks Giuseppe and Siddhartham.

You can use RSPAN, if the both switches are in the same Layer 2  network(All participating switches must be trunk-connected at Layer 2.)

What if source port and destination port are in different vlans  for example  sw1's f1/1 ( source port) is in vlan 100 and sw2's f1/2 i(destination port) is vlan 200 ?

h1----f1/1-----sw1---trunk--------------sw2----trunk----------sw2

                                                                           |

                                                                       f1/2

                                                                           |

                                                                    Wireshark Pc

Hall of Fame Super Silver

Re: remote port monitoring using wireshark.

Hello Sarah,

in this case you can use RSPAN as no routers are on the path and you have end-to-end L2 connectivity.

It is not a problem what Vlan the destination port belongs to as actually it is configured to be the destination of a SPAN session.

It is like if you have removed the destination port and put it in a special state ( to be noted the destination port is considered  down (monitoring) by the switch and without additional commands you cannot use it for accessing the network) dedicated to this monitoring task.

To be noted the RSPAN vlan has to be permitted on all trunk links between switches on the path and it has to be an unused dedicated vlan for the special configuration that disables MAC address learning.

No  access ports should be member of RSPAN Vlan for the same reason in any switch on the path.

The RSPAN vlan provides a L2 path between the first and the last switch and allows to carry the captured traffic to the destination port on the destination switch.

Hope to help

Giuseppe

Bronze

remote port monitoring using wireshark.

Hi Giuseppe Thanks for your response.

I noticed that in the following case( which is my first post),  we just configured without using remote span vlan.

monitor session 1 source interface FastEthernet1/1 both
monitor session 1 destination interface FastEthernet1/2

h1-------f1/1--SW1----------rest of network

                    |

                   f1/2

                    |

               PC wireshark

While in second case shown below, where source port and destination port are located on different switches, we use remote span

SW1(config)# vlan 100

SW1(config-vlan)# remote span

SW1(config-vlan)# end

SW3(config)# vlan 100

SW3(config-vlan)# remote span

SW3(config-vlan)# end

RSPAN source session

SW1(config)# monitor session 1 source interface f1/1 both

SW1(config)# monitor session 1 destination remote vlan 100

Specifying Destination Port

SW3(config)# monitor session 2 source remote vlan 100

SW3(config)# monitor session 2 destination interface f1/2

the reason we did not use remote span vlan in first case because source and destination port are on the same switch?

thank sand have a great week.

Hall of Fame Super Silver

remote port monitoring using wireshark.

Hello Sarah,

your understanding is correct we don't need a remote span Vlan because all ports are in the same switch and this is called Local SPAN.

When you use remote span the remote span vlan has to be configured also on switches in the middle like SW2 as explained in my previous posts and you have to provide a L2 path for remote span vlan over the network.

Have a nice week you too.

Thanks

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: remote port monitoring using wireshark.

Hello Sarah,

if my understanding is correct there is a router in the path, so RSPAN should not apply to your case as SW3 has no L2 link to the other switches.

Besides this, the remote span vlan has to be configured on all switches in the path, so if the router was not present, also SW2 should have the vlan configured as remote span and you could use RSPAN.

As explained in the other post if SW1 and SW3 are C6500 you could use ERSPAN to build a GRE tunnel between the two devices in order to send the captured traffic over an IP internetwork.

The link provided should give you enough information also for ERSPAN.

If your switches do not support ERSPAN I'm afraid you cannot achieve the desired setup.

Hope to help

Giuseppe

2534
Views
0
Helpful
6
Replies
CreatePlease to create content