03-20-2023 02:24 PM
Hi out there I try to use a windows srv to capture traffic from a rspan vlan
I have setup a portgroup under VMware with promiscuous mode permitted. This portgroup is in vlan 500.
The physical switch - a cat9300 - has a rspan enabled vlan 501 defined. If I attach a pc to a access port on that switch and define a mon session with destination to that interface where I connect the pc I can read all packets.
If I now loop the same port back to the switch to a port in vlan 500 i would expect to receive the same traffic on my vm running under VMware and a interface connected to the portgroup with vlan 500 which is defined with the promiscuous mode set to permitted. - but I don't get this - i only get broadcasts still - no unicast traffic. What am I doing wrong or mi here?
Be ti
03-20-2023 02:57 PM
you need to configure RSPAN on ESXi and tag to vlan - look at the example :
https://www.insecurewi.re/setting-up-a-linux-network-probe-with-cisco-rspan/
03-22-2023 01:58 AM
hi Bandi
Have you had success with this?
I have setup a distributed portgroup on a 3-server vmware cluster:
and when i do a wireshark there from a windows 2016 server with the capture interface set in promiscouse mode I see only broadcasts - no unicasts - and from the amount of traffic I see it looks to me as multiple copies of the same packet (each server is uplinked with a 4 10G link uplinks) - i would say i see a copy of the packet for each trunked interface from the cluster
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide