09-09-2003 05:22 PM - edited 03-02-2019 10:13 AM
Here`s the situation: Two PCs are sending traffic each other and i have this special application running in a third PC where i sniff traffic between those machines and use the packets for a special application. I bought a cisco switch 2950 and connected the three devices to it but the third machine cant sniff the comunication among the other two. Used SPAN sending traffic to the third PC port but doesnt connect to network. Please need support...
09-09-2003 11:13 PM
What sniffing software are you using?
In switch configuration, have you specified ports to monitor?
For configuring SPAN in Catalyst 2950 you can use:
09-10-2003 12:28 PM
I use a sniffer software running on Red hat. by the way, i was using a normal 3com hub before and it sniffed, now with the switch is not. Also i have not configured any VLAN to segment ports yet in my 2950.
Yes, i specified the source and destination but Red Hat doesnt even connects to the switch. I read that the destination port becomes a different port and a worksation cant be plugged to it only special network analyzers.
09-10-2003 04:50 PM
Destination SPAN ports on 2950's can't receive packets like normal ports can, but I think you should still get a link light when connecting a device. Is this not happening? If not, does the Linux box get a link light when it's connected to a normal port?
One thing that could be causing a problem is that when SPANing packets the 2950, for whatever reason, inserts VLAN tags even when the switch is using only the default VLAN. This is not considered normal behavior (by me anyway) and it confuses some sniffers that can't parse VLAN tags, preventing them from being able to recognize the packets properly.
09-10-2003 05:05 PM
The eth0 interface in linux is completely out, can`t ping ot be pinged from other PC.
a)Is there a way to untag(or around tagging) the SPAN packets and leave them intact so i avoid re-programming the sniffer to these new form packets?
b)the problem remains also if i leave the two PCs in the hub appart and only the linux to the switch . in this case there`s no tagging but still cant sniff packets from linux in switch to PC`s in hub????
c)is there a way to degrade or transform a switch port to a hub port?
09-10-2003 07:55 PM
Hi,
If you are running a version prior to 12.1(11)EA1, the switch will send dot1Q tagged packets and the sniffer may not recognize it (usually the case). I suggest loading the latest release, 12.1(14)EA1, as this behavior is changed and will send untagged frames.
-Robert
09-11-2003 02:02 PM
ok. thanks a lot.
09-11-2003 04:37 PM
Thanks for the information on tagged packets -- I wasn't aware it had been fixed.
The issue with pings to and from the sniffing device is expected behavior. Unless this has been changed via the new software release, Cat2950's can't receive packets on SPAN ports. SPAN ports can only transmit SPAN'd packets, so you're unable to talk to the sniffing interface to manage it. The common solution is to add a second NIC to the device and plug it into another port on the switch. This second NIC then gets an IP address so that you can manage the device, while the sniffing interface operates without an IP address (in "stealth mode").
09-12-2003 10:45 AM
I thought before about a second NIC for Linux but i think i still have to reprogramm my sniffer to filter the SPAN tagging in the packets sent to the monitor port... don`t i?
09-12-2003 03:54 PM
If your sniffer will be confused by the VLAN tags embedded into the packets, you'll either need to change the code to handle the tags or upgrade the switch to the aformentioned new software version.
09-19-2003 09:09 AM
ok, could somebody tell me links where i can read deep information about how packets are tagged by the 2950 switch?
i really need to understand the packet handling and the SPAN packets.
thanx.
09-19-2003 04:19 PM
I believe they're tagged in 802.1q format. Google around for 802.1q VLAN tags and you should be able to find the details.
09-29-2003 08:35 AM
Try this link:
http://www.cisco.com/warp/customer/473/41.html#topic5
Actually, according to the link, you should be able to untag the packets starting with 12.1(11)EA1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide