cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
12
Replies

traffic sniffing on switch ports not working _2950

r.trejo
Level 1
Level 1

Here`s the situation: Two PCs are sending traffic each other and i have this special application running in a third PC where i sniff traffic between those machines and use the packets for a special application. I bought a cisco switch 2950 and connected the three devices to it but the third machine cant sniff the comunication among the other two. Used SPAN sending traffic to the third PC port but doesnt connect to network. Please need support...

12 Replies 12

jolmo
Level 4
Level 4

What sniffing software are you using?

In switch configuration, have you specified ports to monitor?

For configuring SPAN in Catalyst 2950 you can use:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84c5.html

I use a sniffer software running on Red hat. by the way, i was using a normal 3com hub before and it sniffed, now with the switch is not. Also i have not configured any VLAN to segment ports yet in my 2950.

Yes, i specified the source and destination but Red Hat doesnt even connects to the switch. I read that the destination port becomes a different port and a worksation cant be plugged to it only special network analyzers.

Destination SPAN ports on 2950's can't receive packets like normal ports can, but I think you should still get a link light when connecting a device. Is this not happening? If not, does the Linux box get a link light when it's connected to a normal port?

One thing that could be causing a problem is that when SPANing packets the 2950, for whatever reason, inserts VLAN tags even when the switch is using only the default VLAN. This is not considered normal behavior (by me anyway) and it confuses some sniffers that can't parse VLAN tags, preventing them from being able to recognize the packets properly.

The eth0 interface in linux is completely out, can`t ping ot be pinged from other PC.

a)Is there a way to untag(or around tagging) the SPAN packets and leave them intact so i avoid re-programming the sniffer to these new form packets?

b)the problem remains also if i leave the two PCs in the hub appart and only the linux to the switch . in this case there`s no tagging but still cant sniff packets from linux in switch to PC`s in hub????

c)is there a way to degrade or transform a switch port to a hub port?

robho
Level 3
Level 3

Hi,

If you are running a version prior to 12.1(11)EA1, the switch will send dot1Q tagged packets and the sniffer may not recognize it (usually the case). I suggest loading the latest release, 12.1(14)EA1, as this behavior is changed and will send untagged frames.

-Robert

ok. thanks a lot.

Thanks for the information on tagged packets -- I wasn't aware it had been fixed.

The issue with pings to and from the sniffing device is expected behavior. Unless this has been changed via the new software release, Cat2950's can't receive packets on SPAN ports. SPAN ports can only transmit SPAN'd packets, so you're unable to talk to the sniffing interface to manage it. The common solution is to add a second NIC to the device and plug it into another port on the switch. This second NIC then gets an IP address so that you can manage the device, while the sniffing interface operates without an IP address (in "stealth mode").

I thought before about a second NIC for Linux but i think i still have to reprogramm my sniffer to filter the SPAN tagging in the packets sent to the monitor port... don`t i?

If your sniffer will be confused by the VLAN tags embedded into the packets, you'll either need to change the code to handle the tags or upgrade the switch to the aformentioned new software version.

ok, could somebody tell me links where i can read deep information about how packets are tagged by the 2950 switch?

i really need to understand the packet handling and the SPAN packets.

thanx.

I believe they're tagged in 802.1q format. Google around for 802.1q VLAN tags and you should be able to find the details.

Try this link:

http://www.cisco.com/warp/customer/473/41.html#topic5

Actually, according to the link, you should be able to untag the packets starting with 12.1(11)EA1.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: