Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

dro
New Member

Odd SPAN monitoring behavior

Hi all. I have a 2950 running 12.1(13)EA1c. I've configured SPAN monitoring on it before, but it doesn't seem to be working properly anymore.

I set up two source ports, which are both PIX 515's, and set the destination port to a monitoring host.

The odd thing is that I can only see arp/broadcast requests from the two ports, and nothing else.

If I set the ports to only monitor rx, I see the arp requests from the PIX's and vice versa for tx. Traffic is definately being sent on the two ports, but it's not showing up on my monitoring host.

Any ideas?

Thanks.

  • Other Network Infrastructure Subjects
7 REPLIES

Re: Odd SPAN monitoring behavior

At the destination port what are you using for listening the traffic?

dro
New Member

Re: Odd SPAN monitoring behavior

The destination port is a Linux box. I was just doing a tcpdump to verify the traffic was flowing before starting up any IDS services.

The server itself has an Intel PRO/100+ Dual port card. One port is connected to a seperate switch (for remote access) and the second is configured for SPAN.

All I see from the two source ports are ARP requests and broadcasts.

Thanks.

Re: Odd SPAN monitoring behavior

Can you try the same with a Windows PC and Ethereal software (www.ethereal.com - totally free).

dro
New Member

Re: Odd SPAN monitoring behavior

I've tracked down the problem. It ended up being the NIC. For whatever reason, none of the Intel Pro/100 cards I had would work properly (I tried 4!), but a 3COM card worked fine when I put it in the server.

And now for the million dollar question.... why?

New Member

Re: Odd SPAN monitoring behavior

Did you use the encapsulation keyword in the span configuration? If so, there are only a handful of NICs that recognize and strip the dot1Q tag before sending to the sniffer.

dro
New Member

Re: Odd SPAN monitoring behavior

I used a pretty basic config:

monitor session 2 source interface Fa0/18 - 19 , Fa0/24

monitor session 2 destination interface Fa0/7

No encapsulation or anything special.

Thanks

New Member

Re: Odd SPAN monitoring behavior

It is probably an issue with the NIC or NIC driver you are using. I do now know of any issues after 12.1(11)EA1 code with regards to basic SPAN feature.

116
Views
0
Helpful
7
Replies
This widget could not be displayed.