02-25-2021 03:56 AM
Hi.
I'm the network admin for my organization and we've been having some security issues on our network recently so I'm trying to investigate using wireshark. But my issue is that wireshark only captures packets that come to my device's network interfaces even in promiscuous mode since we are using a switched network. So I'm trying to find a way to setup the network that will allow me capture packets passing through the entire network. Perhaps some configuration on the switch that may allow my port see traffic passing through other ports. Or something...
My network has a managed switch(CISCO 2960) as the core switch and connects through a trunk line to an unmanaged switch that distributes to our users.
Any help would be greatly appreciated.
02-25-2021 04:12 AM
Make sure you capturing the right place where the traffic leaving from network to get more visibility.
if the VLAN you need to add all VLANs - post the configuraiton you configured.
or refer below guide :
02-25-2021 04:30 AM - edited 02-25-2021 04:32 AM
Switch(config)# no monitor session 1 Switch(config)# monitor session 1 source interface gigabitethernet0/1 Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate Switch(config)# end ! Switch(config)# no monitor session 1 source interface gigabitethernet0/1 Switch(config)# end !
Embedded packet capture The config was something like: (config mode) ip access-list extended mycapf permit ip host xx.xx.xx.xx any permit ip any host xx.xx.xx.xx (enable mode) monitor capture mycap buffer size 2 circular monitor capture mycap access-list mycapf monitor capture mycap interface Te1/1/1 monitor capture mycap start
here this link help you as its an example
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide