08-31-2010 11:06 AM - edited 03-06-2019 12:45 PM
In hopes to monitor all packet activity on a Catalyst 3750 switch, I have created a SPAN where I have been attempting to use the destination port for packet sniffing. The issue is that I can only see broadcasts as well as inbound/outbound activity from the NIC on the system I have been using. The SPAN was setup as follows:
monitor session 1 source vlan 1 both
montior session 1 destiantion interface Gi1/0/11
Note that this network consists of one vlan, vlan 1. I have also tried the following setup with the same result as the first:
monitor session 1 source interface Gi1/0/1 - 10 both
monitor session 1 source interface Gi1/0/12 - 24 both
monitor session 1 destination interface Gi1/0/11
Am I missing a step? Any relevant infromation would be appreciated. Thanks.
08-31-2010 01:34 PM
show monitor session 1 detail
Session 1
---------
Type : Local Session
Source Ports :
RX Only : None
TX Only : None
Both : Gi1/0/1-10,Gi1/0/12-24
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Gi1/0/11
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
08-31-2010 02:47 PM
Hello,
Please send me the output of :
show vlan
show int Gi1/0/11
show int Gi1/0/1
show int Gi1/0/10
Sid Chandrachud
Cisco TAC
09-01-2010 05:42 AM
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Gi1/0/24
Gi1/0/25, Gi1/0/26, Gi1/0/27
Gi1/0/28, Gi1/0/29, Gi1/0/30
Gi1/0/31, Gi1/0/32, Gi1/0/33
Gi1/0/34, Gi1/0/35, Gi1/0/36
Gi1/0/37, Gi1/0/38, Gi1/0/39
Gi1/0/40, Gi1/0/41, Gi1/0/42
Gi1/0/43, Gi1/0/44, Gi1/0/45
Gi1/0/46, Gi1/0/47, Gi1/0/48
Gi1/0/49, Gi1/0/50, Gi1/0/51
Gi1/0/52, Gi2/0/1, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Gi2/0/24, Gi2/0/25, Gi2/0/26
Gi2/0/27, Gi2/0/28
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
GigabitEthernet1/0/11 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 0015.624d.0e8b (bia 0015.624d.0e8b)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 15:46:40, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1025000 bits/sec, 163 packets/sec
250630515 packets input, 1048365771 bytes, 0 no buffer
Received 1487 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
521917037 packets output, 2714351526 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet1/0/1 is down, line protocol is down (notconnect)
Hardware is Gigabit Ethernet, address is 0015.624d.0e81 (bia 0015.624d.0e81)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet1/0/10 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0015.624d.0e8a (bia 0015.624d.0e8a)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:55, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
156956949 packets input, 1361374486 bytes, 0 no buffer
Received 33932684 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 221537 multicast, 0 pause input
0 input packets with dribble condition detected
263045511 packets output, 4168750286 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
09-01-2010 09:52 AM
Hello,
a. The span destination port seems to forwarding traffic correctly in outbound direction.
GigabitEthernet1/0/11 is up, line protocol is down (monitoring)
: : : :
5 minute output rate 1025000 bits/sec, 163 packets/sec <-----
: : :
521917037 packets output, 2714351526 bytes, 0 underruns
b. The issue most likely is the NIC on the workstation used to see the capture traffic.
The NIC card needs to be in promiscous mode for it to accept all traffic coming in on the interface.
Otherwise, it will only accept frames destined to it.
http://www.wireshark.org/faq.html#q7.1
Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see.
Wireshark will try to put the interface on which it's capturing into promiscuous mode unless the "Capture packets in promiscuous mode" option is turned off in the "Capture Options" dialog box, and TShark will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified.
However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.
c. Check the host settings. Try using a different machine to check the captured packets.
Sid Chandrachud
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide