cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4866
Views
0
Helpful
4
Replies

SPAN monitor with encapsulation replication on 3560

Kevin Dorrell
Level 10
Level 10

I have a problem with local SPAN on a 3560. I can monitor a trunk port OK:

<code>

monitor session 1 source interface F0/1

monitor session 1 destination interface F0/8

</code>

Using Wireshark on F0/8, I can see the packets on F0/1 OK from both the phone (tagged VLAN) and the PC (untagged native). But of course what I cannot see is the CoS value ... which is what I am interested in. So I do:

<code>

monitor session 1 destination interface F0/8 encapsulation replicate

</code>

Now I don't see any packets at all on the Wireshark. The interface output counters on F0/8 are stll counting packets, but I see nothing on the monitor.

Has anyone else had this experience?

Kevin Dorrell

Luxembourg

1 Accepted Solution

Accepted Solutions

What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.

It you have an Intel NIC try here:

http://www.intel.com/support/network/sb/cs-005897.htm

If its a Broadcom NIC try here:

http://7200emu.hacki.at/viewtopic.php?t=1409

I am not sure about other NIC's.

HTH

Andy

View solution in original post

4 Replies 4

What NIC are you using? This sounds like a NIC driver issue although I would have expected traffic to be visible in Wireshark but the Tags being stripped off by the driver.

It you have an Intel NIC try here:

http://www.intel.com/support/network/sb/cs-005897.htm

If its a Broadcom NIC try here:

http://7200emu.hacki.at/viewtopic.php?t=1409

I am not sure about other NIC's.

HTH

Andy

Thanks for the reply Andy. The NIC was the internal NIC of the laptop. I'll have a look at its spec tomorrow.

If the driver is going to strip the tags off, then that is a pity because I am specificaly interested in monitoring the CoS. The phone is not Cisco, and I want to know whether its internal switch will allow the PC to cheat by putting its own CoS. I don't think the phone has any concept of extending the trust boundary like Cisco phones do.

I suppose I could test the Wireshark by connnecting to a dummy trunk port and see when the traffic looks like.

Kevin Dorrell

Luxembourg

The two links I posted show you how to edit the Windows registry to make the driver behave as you require - i.e. Don't strip the VLAN Tags off before passing the packet up the stack.

I have tested both the Broadcom settings on my HP NC6000 laptop (using the latest drivers from Broadcoms webiste) and also the Intel settings on an Intel PRO/100+ adapter in a Dell PC.

Andy

Thank you Andy, that has solved my problem. In fact, the NIC was neither Intel nor Broadcom - it was a Marvell Yukon. However, your documents did give me the clue about what to Google. In the end, I found details on the Wireshark site itself.

And yes, it did help solve a problem with our QoS. We had a phone gateway that was not marking the traffic at all - neither voice nor signalling, neither CoS nor DSCP. So I've put a default CoS 5 on its switchport until we can get the supplier to look at it.

Thanks again.

Kevin Dorrell

Luxembourg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: