Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

traffic sniffing on switch ports not working _2950

Here`s the situation: Two PCs are sending traffic each other and i have this special application running in a third PC where i sniff traffic between those machines and use the packets for a special application. I bought a cisco switch 2950 and connected the three devices to it but the third machine cant sniff the comunication among the other two. Used SPAN sending traffic to the third PC port but doesnt connect to network. Please need support...

12 REPLIES
Silver

Re: traffic sniffing on switch ports not working _2950

What sniffing software are you using?

In switch configuration, have you specified ports to monitor?

For configuring SPAN in Catalyst 2950 you can use:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84c5.html

Community Member

Re: traffic sniffing on switch ports not working _2950

I use a sniffer software running on Red hat. by the way, i was using a normal 3com hub before and it sniffed, now with the switch is not. Also i have not configured any VLAN to segment ports yet in my 2950.

Yes, i specified the source and destination but Red Hat doesnt even connects to the switch. I read that the destination port becomes a different port and a worksation cant be plugged to it only special network analyzers.

Bronze

Re: traffic sniffing on switch ports not working _2950

Destination SPAN ports on 2950's can't receive packets like normal ports can, but I think you should still get a link light when connecting a device. Is this not happening? If not, does the Linux box get a link light when it's connected to a normal port?

One thing that could be causing a problem is that when SPANing packets the 2950, for whatever reason, inserts VLAN tags even when the switch is using only the default VLAN. This is not considered normal behavior (by me anyway) and it confuses some sniffers that can't parse VLAN tags, preventing them from being able to recognize the packets properly.

Community Member

Re: traffic sniffing on switch ports not working _2950

The eth0 interface in linux is completely out, can`t ping ot be pinged from other PC.

a)Is there a way to untag(or around tagging) the SPAN packets and leave them intact so i avoid re-programming the sniffer to these new form packets?

b)the problem remains also if i leave the two PCs in the hub appart and only the linux to the switch . in this case there`s no tagging but still cant sniff packets from linux in switch to PC`s in hub????

c)is there a way to degrade or transform a switch port to a hub port?

Community Member

Re: traffic sniffing on switch ports not working _2950

Hi,

If you are running a version prior to 12.1(11)EA1, the switch will send dot1Q tagged packets and the sniffer may not recognize it (usually the case). I suggest loading the latest release, 12.1(14)EA1, as this behavior is changed and will send untagged frames.

-Robert

Community Member

Re: traffic sniffing on switch ports not working _2950

ok. thanks a lot.

Bronze

Re: traffic sniffing on switch ports not working _2950

Thanks for the information on tagged packets -- I wasn't aware it had been fixed.

The issue with pings to and from the sniffing device is expected behavior. Unless this has been changed via the new software release, Cat2950's can't receive packets on SPAN ports. SPAN ports can only transmit SPAN'd packets, so you're unable to talk to the sniffing interface to manage it. The common solution is to add a second NIC to the device and plug it into another port on the switch. This second NIC then gets an IP address so that you can manage the device, while the sniffing interface operates without an IP address (in "stealth mode").

Community Member

Re: traffic sniffing on switch ports not working _2950

I thought before about a second NIC for Linux but i think i still have to reprogramm my sniffer to filter the SPAN tagging in the packets sent to the monitor port... don`t i?

Bronze

Re: traffic sniffing on switch ports not working _2950

If your sniffer will be confused by the VLAN tags embedded into the packets, you'll either need to change the code to handle the tags or upgrade the switch to the aformentioned new software version.

Community Member

Re: traffic sniffing on switch ports not working _2950

ok, could somebody tell me links where i can read deep information about how packets are tagged by the 2950 switch?

i really need to understand the packet handling and the SPAN packets.

thanx.

Bronze

Re: traffic sniffing on switch ports not working _2950

I believe they're tagged in 802.1q format. Google around for 802.1q VLAN tags and you should be able to find the details.

Community Member

Re: traffic sniffing on switch ports not working _2950

Try this link:

http://www.cisco.com/warp/customer/473/41.html#topic5

Actually, according to the link, you should be able to untag the packets starting with 12.1(11)EA1.

158
Views
0
Helpful
12
Replies
CreatePlease to create content