Thanks for that. I did look through the document marce posted. I should add that I am trying to configure local SPAN

There is no specific example in that document but there is a section on "Destination Port". It is a bit thin on information though. I also configured a monitor session with the port as the destination and I didn't see any change in the config. wondering if you need a specific feature set or something

Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer.

A destination port has these characteristics:

• For a local SPAN session, the destination port must reside on the same device or device stack as the source port. For an RSPAN session, it is located on the device containing the RSPAN destination session. There is no destination port on a device or device stack running only an RSPAN source session.

• When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration. When the SPAN destination configuration is removed, the port reverts to its previous configuration. If a configuration change is made to the port while it is acting as a SPAN destination port, the change does not take effect until the SPAN destination configuration had been removed.

• If the port was in an EtherChannel group, it is removed from the group while it is a destination port. If it was a routed port, it is no longer a routed port.

• It can be any Ethernet physical port.

• It cannot be a secure port.

• It cannot be a source port.

• It can be an EtherChannel group (ON mode only), on Cisco Catalyst 9500 Series Switches - High Performance.

• It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).

• When it is active, incoming traffic is disabled. The port does not transmit any traffic except that required for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.

• If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.

• It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).

• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.

• The maximum number of destination ports in a device or device stack is 64.

Post the configuration example you configured and what IOS XE code running ?

wondering if you need a specific feature set or something

No it should work essential License that come with switch.

unitl we see your configuration and show monitor session all

simple configuration what you looking to capture the traffic example:

you looking to capture the information from the port TW1/0/1 and your sniffer connected to Port TW1/0/2 below example works :

monitor session 1 source interface Twe1/0/1
monitor session 1 destination interface Twe1/0/2

I've done the monitor session

#show mon sess all
Session 1
---------
Type : Local Session
Source VLANs :
Both : 1475-1476
Destination Ports : Twe1/0/4
Encapsulation : Native
Ingress : Disabled

And I've done dozens of these - they always allow you to do as the instructions say

conf t, int <whatever>, switchport, switchport monitor

But this is the first 25 Gig interface I've done and I'm pretty sure it is the first 9500 I've done. The transceiver seems fine

#show interface transceiver
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).

Optical Optical
Temperature Voltage Current Tx Power Rx Power
Port (Celsius) (Volts) (mA) (dBm) (dBm)
--------- ----------- ------- -------- -------- --------
Twe1/0/1 22.9 3.31 6.1 -2.2 -2.2
Twe1/0/2 27.5 3.32 6.4 -2.2 -2.0
Twe1/0/4 25.0 3.29 5.4 -2.1 -2.0

its says source vlan 1475-1476 - Do you have vlans ? and you have any devices connected in that vlan to capture the traffic send to Twe1/0/4 ?

what sniffer you connected on TW1/0/4 (what you see on the sniffer no information ?)

can you post below information :

show run| in monitor

show run inter tw 1/0/4

show vlan

#show runn | i monitor
monitoring
monitor session 1 source vlan 1475 - 1476
monitor session 1 destination interface Twe1/0/4

#show runn int Twe1/0/4
Building configuration...

Current configuration : 81 bytes
!
interface TwentyFiveGigE1/0/4
description TO <Cisco Data Broker> PORT 39 SPAN PORT
end

#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Twe1/0/3, Twe1/0/5, Twe1/0/6, Twe1/0/7, Twe1/0/8, Twe1/0/9, Twe1/0/10, Twe1/0/11
Twe1/0/12, Twe1/0/13, Twe1/0/14, Twe1/0/15, Twe1/0/16, Twe1/0/17, Twe1/0/20
Hu1/0/25, Hu1/0/26, Hu1/0/27, Hu1/0/28
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
xxxx_internet-fb active
1475 a.b.c.d/28_em-access-odd active Twe1/0/2, Twe1/0/18, Twe1/0/19

This is the problem - not the VLANs or the monitor session.

router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int Twe1/0/4
router(config-if)#switchport
router(config-if)#switchport monitor
^
% Invalid input detected at '^' marker.

router(config-if)#

The marker shown above is skewed in my post - in reality it is pointing to the word monitor

#switchport ?
access Set access mode characteristics of the interface
app-interface Enabling port for Application Hosting
autostate Include or exclude this port from vlan link up calculation
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
vepa Reflective relay configuration
voice Voice appliance attributes
<cr> <cr>

There is no switcthport monitor command allowed after the switchport command.

All the documentation I read suggests that the switchport monitor command comes next - and that has been my experience over the past years.

No luck there....correct me if I'm wrong

router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int Twe1/0/4
router(config-if)#monitor ?
% Unrecognized command

If you meant globally

router(config)#monitor capture ?
% Unrecognized command

Can I only do this from the web GUI i.e. NDB?

You should do the configuration from config t section
example :
switch(config)# monitor session session_number source {interface interface-id | vlan vlan-id}
switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation {replicate | dot1q}]}