Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
0
Helpful
4
Replies

How to mirror port only http get packet on 4948 or 6500 ?

hatman
Level 1
Level 1

‎02-08-2012 12:16 AM - edited ‎03-07-2019 04:47 AM

Hello,

How to mirror port only http get packet on 4948 or 6500 ?

Labels:
0 Helpful
4 Replies 4

Vivek Ganapathi
Level 4
Level 4

‎02-08-2012 01:26 AM

Hello,

You wouldn't be able to sniff just HTTP get. But you can filter only HTTP get requests on the sniffing tool you are using. What i want to say is, on 4900 or 6500, you wouldn't be able to create a SPAN port based on your required parameters.

Thanks

Vivek

0 Helpful

epelser_2
Level 1
Level 1

‎02-08-2012 01:38 AM

Hi.

I believe Vivek is correct.

I don't know exactly what you want to achieve but as far as I'm aware your options are as follows:

1) Capture traffic as per Vivek's suggestion and filter within your analyser tool.

2) Use the 6500s mini protocol analyzer tool to filter to a destination IP or if you require further granularity, between source and destination IP.

See the following link for the info on the mini analyzer.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/span.html#wp1038600

I don't believe the 4900 has the same functionality thought.

I hope this helps

Ernst

0 Helpful

hatman
Level 1
Level 1
In response to epelser_2

‎02-08-2012 02:53 AM

Hi,

I want to mirror only http get traffic

for the currently

am use function vlan access-map on 6500 for classify destination port rq 80 ( include http get and http upload)

the traffic is very hight and our server can't handle all the traffic.

and then i want to find the best solution for classify the http packet -- am not sure i can classify packet by packek lenght  support or not?

0 Helpful

Ven Taylor
Level 4
Level 4
In response to hatman

‎02-08-2012 06:11 AM

I believe what you're looking to do is set up a Vlan Access List (VACL).

You can set up the access list to trigger on any type of traffic and then capture the output.

We do it here all the time to sniff traffic.  I'm not sure what you want to do with the traffic, but this will let you span a vlan to a switchport for monitoring/sniffer work.

#create an acl that references all interesting traffic

ip access-list extended capture-http

permit tcp any eq www any eq www

!

exit

!

#apply rules and reference acl

vlan access-map capture-http 10

match ip address capture-http

action forward capture

exit

!

#apply your vacl to a particular vlan (in this case 100)

vlan filter capture-http vlan-list 100

!

exit

!

#apply your vacl to a port with the sniffer

interface Gig3/1

description Sniffer

switchport

switchport mode access

switchport capture

spanning-tree portfast

end

Put your sniffer on t

Here's a link to some configuration examples:

http://www.cisco.com/en/US/tech/tk389/tk814/tk838/tsd_technology_support_sub-protocol_home.html

Ven

Ven Taylor
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card