01-04-2011 05:17 AM - edited 03-06-2019 02:48 PM
Hi every body
I was toying around with wireshark, when i noticed remote packet capture option. I googled it and found when we have to laod remote packet capture protocol on the target node.
Here is my Scenario.
we have cisco networks , routers and switches and we want to capture the packet entering specific router port. How do we do that using wireshark?
do we have to download the above mentioned program on the router? how do we do that,?
The only thing i know is to use ios to configure routers .But do we load remote packet capture protocol so we can remotely capture packets entering router specific interface ?
thanks
Solved! Go to Solution.
01-04-2011 05:29 AM
Hi,
On switches you use SPAN or RSPAN and on routers you can use RITE or EPC
Here are the links:
1) SPAN-RSPAN http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swspan.html
2) RITE http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
3) EPC
Regards.
Alain.
01-04-2011 06:29 AM
To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.
The command for this on fx a 3750 would be something like this)
monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)
and then you set up the port you want your wireshark to be connected to
monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)
A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.
The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.
Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.
you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.
this can be done through the use of RSPAN.
Good luck
HTH
01-04-2011 12:18 PM
Hello Sarah,
>> do we have to download the above mentioned program on the router? how do we do that,?
no this is not possible as IOS is a closed system we cannot install a program over it.
there are some options explained by Alain
the typical use we do is:
we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).
Hope to help
Giuseppe
01-04-2011 05:29 AM
Hi,
On switches you use SPAN or RSPAN and on routers you can use RITE or EPC
Here are the links:
1) SPAN-RSPAN http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swspan.html
2) RITE http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
3) EPC
Regards.
Alain.
01-04-2011 06:29 AM
To use wireshark on a Network in its simplest form you configure a SPAN port at the local switch.
The command for this on fx a 3750 would be something like this)
monitor session (session number fx 1) source interface (and add the interface you would want wo listen to fx gig1/0/1)
and then you set up the port you want your wireshark to be connected to
monitor session (same as session above) destination interface (and add the interface you want to send the traffic out on fx gig1/0/2)
A tip, if you are to use a monitor port on a swithc set a empty rj45 connection in the destination switchport if you leave it configured so that you or someone else does not use it by mistake.
The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends.
Then there are several other ways of using fx packet capture in the ASA and then export it and look at it in wireshark.
you can set up a place where you can have a wireshark computer set up and you can monitor any port in the network.
this can be done through the use of RSPAN.
Good luck
HTH
01-04-2011 12:18 PM
Hello Sarah,
>> do we have to download the above mentioned program on the router? how do we do that,?
no this is not possible as IOS is a closed system we cannot install a program over it.
there are some options explained by Alain
the typical use we do is:
we put a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN).
Hope to help
Giuseppe
05-29-2012 11:56 PM
Hello Hobbe/Giuseppe,
I have a doubt in the above replies . Please find the beow statement.
" The monitor port can not send data out to the switch anymore but it will recieve all that the source port sees and sends "
correct me if i understood it wrongly . It says like the source port will not be actively involved in any switching as other port in the same switch where we not enabled the SPAN.
Does it mean it will not switch traffic ?
Can we use it in live or production traffic for testing ?
Regards,
Sinjish.K
05-30-2012 12:03 AM
Hello Sinjish,
Hobbe meant a SPAN destination port, where the PC with wireshark would be connected to. This destination port will only be able to send traffic to connected wireshark but not in other direction.
Source port will function properly with no service impact to switching.
Kind Regards,
Ivan
**Please grade this post if you find it useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide