02-08-2011 04:35 AM - edited 03-04-2019 11:21 AM
Hi,
I am having an issue getting a local span session to work on a couple of my 3750's. I have a very basic requirement to span one port to another and wireshark the destination port to grab some traces. This is something I've done a thousand times but something is not working for me today in that I cannot see my return packets in my Wireshark trace. I only see packets sourced from my local machines and no return packets even though I know they are there. i.e I see the ICMP request and no reply in the wireshark trace even though I have a ping reply on the host that initiated the ping. There is no other route that the packets can take.
I have disabled all capture and dispaly filters on the wireshark laptop. I have used a couple of different lap tops to rule that out. I have even tried to monitor on a different 3750 with similar results. I feel its something I am missing in the 3750 monitor config but I can't put my finger on it and all looks good when I read the config guide. Is there anything else I can try?!
IOS version 12.2 (25) and 12.2(42)
Config:-
monitor session 1 source interface Fa1/0/38
monitor session 1 destination interface Fa1/0/37
Session 1
---------
Type : Local Session
Source Ports :
RX Only : None
TX Only : None
Both : Fa1/0/38
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Fa1/0/37
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
interface FastEthernet1/0/37
description Temp span Dest Port
speed 100
duplex full
spanning-tree portfast
interface FastEthernet1/0/38
description Span Soure Port
speed 100
duplex full
Thanks
RK
02-08-2011 05:37 AM
Hi RK,
Can you change the session number and also the source and destination ports if possible for try. I too had the same issue with one of my switch and was resolved like that.
Regards,
Jiyon
02-08-2011 07:51 AM
Hi Jiyon,
Thanks for you quick reply. I was hoping it would be something like that but I tried configuring a monitor session 2 with a different source and destination interface and still have the same issue.
RK
02-08-2011 08:20 AM
Hi
You can span either the transmit or reiceve or both.
monitor session 1 source interface Fa1/0/38 both
should do the trick
Good luck and happy monitoring
HTH
02-08-2011 08:38 AM
Thanks Hobbe,
"Both" is the default when you don't stick in Tx or Rx and you can see in my output that Both is selected. I even tried to include Both just for good measure but not that easy I;m afriad.
Thanks for your reply though.
02-09-2011 01:23 AM
Managed to get this working and it was all down to something to do with the laptops I was using. In dispair I tried a third newer laptop this morning running wireshark version 1.2.6 and all is working nicely......Thanks to those who replied.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide