Monitor session doesn't appear to be working

jsmall · ‎05-29-2005

Hi,

I have a Cisco 2950, running:

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE SOFTWARE (fc1)

I am trying to use ntop (network monitoring tool) on a workstation. In order to setup monitoring, I have run the following commands:

monitor session 1 source interface Fa0/7 - 23

monitor session 1 destination interface Fa0/24

The goal here is to have ports 7-23 sent to port 24 where my workstation is. I have verified that the machine is in promiscuous mode.

However, all that ever seems to be sniffed by that machine is STP traffic, broadcast traffic, and, for some reason, telnet traffic directly to the Cisco from another workstation.

Any response would be appreciated.

alfredshum · ‎05-29-2005

Seems 2950 only supports a maximum of 1 TX (transmit) monitor port.

You can type "show mon ses 1" to check which port is in both RX (Receive) & TX mode, which ports are in RX-only mode.

jsmall · ‎05-30-2005

Is therefore no way I can adequately sniff my whole switch?

Kevin Dorrell · ‎05-30-2005

Unfortunately not. On the bigger switches such as 4500 series you can sniff a VLAN, but on the 2950 you are stuck with monitoring individual ports.

(BTW, can anyone tell me, on the bigger switches, when you monitor a vlan, are you monitoring all the traffic switched through the VLAN, or just the traffic that makes it to the layer-3 interface?)

Kevin Dorrell

Luxembourg

jsmall · ‎05-30-2005

But I can't even get a single port working. I have our firewall (which passes all traffic leaving our network) on port 16, and now have altered the command as follows:

monitor session 1 source interface Fa0/16 both

However the device connected to port 24 still doesn't seem to see anything but its own traffic, and STP traffic.

amit-singh · ‎05-30-2005

Please paste the configuration from the port 16 and port 24 using the commands :

Show run int fa 0/16

Show run int fa 0/24,

Also show monitor session 1

Have you tried upgrading the IOS on the switch. This could be an old IOS issue. I would suggest you try upgrading the IOS and I think this could make a diffrence.

HTH,

-amit singh

jsmall · ‎05-30-2005

Hi, see the output below:

interface FastEthernet0/16

switchport mode access

no ip address

end

c2950#Show run int fa 0/24

Building configuration...

Current configuration : 73 bytes

!

interface FastEthernet0/24

switchport mode access

no ip address

I will see what I can do regarding the IOS- I beleive our CCO login just ran out so I'm not sure I can still just go download the update.

Kevin Dorrell · ‎05-30-2005

Could you post a show monitor session 1 please?

Do you still have the monitor session 1 destination interface Fa0/24? I was just wondering whether you had done a no monitor seesion 1 last time you cancelled the session, and forgot to put back the destination.

It sounds strange that you can still see the STP traffic, because according to the documentation "A destination port or a reflector port does not participate in STP while its SPAN or RSPAN session is active."

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00802c3005.html#wp1036772

Kevin Dorrell

Luxembourg

jsmall · ‎05-30-2005

Apologies, I left this out before:

c2950#show monitor session 1

Session 1

---------

Source Ports:

RX Only: None

TX Only: None

Both: Fa0/19

Destination Ports: Fa0/24

It's still throwing me that a machine on port 7, telnet to the switch, and all that telnet traffic is sniffed.

Kevin Dorrell · ‎05-30-2005

Looks like a bug then. Here is a likely candidate:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee65963

The bug does affect your version. It is fixed in 12.1(22)EA1.

The workaround is to cancel the SPAN session altogether with no monitor, and then put the SPAN session back in.

Kevin Dorrell

Luxembourg