Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
0
Helpful
2
Replies

Catalyst 2960 Config for Wireshark Capture

Elopower123
Level 1
Level 1

‎02-25-2021 03:56 AM

Hi.

 

I'm the network admin for my organization and we've been having some security issues on our network recently so I'm trying to investigate using wireshark. But my issue is that wireshark only captures packets that come to my device's network interfaces even in promiscuous mode since we are using a switched network. So I'm trying to find a way to setup the network that will allow me capture packets passing through the entire network. Perhaps some configuration on the switch that may allow my port see traffic passing through other ports. Or something...

 

My network has a managed switch(CISCO 2960) as the core switch and connects through a trunk line to an unmanaged switch that distributes to our users.

 

Any help would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎02-25-2021 04:12 AM

Make sure you capturing the right place where the traffic leaving from network to get more visibility.

if the VLAN you need to add all VLANs - post the configuraiton you configured.

 

or refer below guide :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sheraz.Salim
VIP
VIP

‎02-25-2021 04:30 AM - edited ‎02-25-2021 04:32 AM

 

 

 

Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface gigabitethernet0/1
Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate
Switch(config)# end 
!
Switch(config)# no monitor session 1 source interface gigabitethernet0/1
Switch(config)# end 
!

Embedded packet capture

The config was something like:

(config mode)

ip access-list extended mycapf

    permit ip host xx.xx.xx.xx any

    permit ip any host xx.xx.xx.xx

(enable mode)

monitor capture mycap buffer size 2 circular

monitor capture mycap access-list mycapf

monitor capture mycap interface Te1/1/1

monitor capture mycap start

 here this link help you as its an example

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card