Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Traffic Sniffing Question (Easy)

Hi All,

I have an easy question. I want to sniff a network port on my 3560 switch. I was going to use SPAN to repeat the traffic to another interface, plug my laptop into that interface and watch the traffic.

My question is, when I plug my laptop into the SPAN'd port, do I give it an IP address of its own or do I give it the IP address of the machine being monitored?

Also, if there is a better way other than SPAN and a Laptop with sniffing software, recommendations would be appreciated. Thanks!


Community Member

Re: Traffic Sniffing Question (Easy)

I have my port blank, only spanning-tree portfast.

Install ethereal and set to capture packets for your port.

Re: Traffic Sniffing Question (Easy)

Personally I have a PCMCIA NIC installed in my laptop in addition to the onboard NIC. I have all the bindings removed from this 2nd NIC to stop Windows attempting to use it for networking. I use this 2nd NIC as a solely monitor interface. The leaves me able to still telnet etc from the other NIC, plus it stops me capturing packets that the PC is generating.

I use WireShark (what was Ethereal) and think this is an excellent piece of (free) software.

If you are sniffing VLAN Trunks or ports using Voice VLANs be careful with Intel & Broadcom drivers since they strip the VLAN tags off before passing the frames up the stack. Both have registry keys to disable this behaviour.



CreatePlease to create content