cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
357
Views
0
Helpful
7
Replies

Odd SPAN monitoring behavior

dro
Level 1
Level 1

Hi all. I have a 2950 running 12.1(13)EA1c. I've configured SPAN monitoring on it before, but it doesn't seem to be working properly anymore.

I set up two source ports, which are both PIX 515's, and set the destination port to a monitoring host.

The odd thing is that I can only see arp/broadcast requests from the two ports, and nothing else.

If I set the ports to only monitor rx, I see the arp requests from the PIX's and vice versa for tx. Traffic is definately being sent on the two ports, but it's not showing up on my monitoring host.

Any ideas?

Thanks.

7 Replies 7

kkalaycioglu
Level 4
Level 4

At the destination port what are you using for listening the traffic?

The destination port is a Linux box. I was just doing a tcpdump to verify the traffic was flowing before starting up any IDS services.

The server itself has an Intel PRO/100+ Dual port card. One port is connected to a seperate switch (for remote access) and the second is configured for SPAN.

All I see from the two source ports are ARP requests and broadcasts.

Thanks.

Can you try the same with a Windows PC and Ethereal software (www.ethereal.com - totally free).

I've tracked down the problem. It ended up being the NIC. For whatever reason, none of the Intel Pro/100 cards I had would work properly (I tried 4!), but a 3COM card worked fine when I put it in the server.

And now for the million dollar question.... why?

Did you use the encapsulation keyword in the span configuration? If so, there are only a handful of NICs that recognize and strip the dot1Q tag before sending to the sniffer.

I used a pretty basic config:

monitor session 2 source interface Fa0/18 - 19 , Fa0/24

monitor session 2 destination interface Fa0/7

No encapsulation or anything special.

Thanks

It is probably an issue with the NIC or NIC driver you are using. I do now know of any issues after 12.1(11)EA1 code with regards to basic SPAN feature.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: