Is Sniffing Trunk Port Possible

John Rener · ‎03-23-2017

Based on the image, is it possible to monitor the traffic to and from 6500?

Julio E. Moisa · ‎03-23-2017

Hi John,

Yes, it is possible, you can monitor an interface trunk and filter the vlans that you want to monitor.

example:

monitor session 1 source interfae g0/1 both
monitor session 1 filter vlan 10 , 35 , 101 , 456 <-- useful to monitor specific vlans otherwise it will monitor all the traffic
monitor session 1 destination interface g0/2

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

John Rener · ‎03-24-2017

Julio my man! You're just too awesome! I wish there's CCIE fellas out here who are as helpful as you!

BTW That filter would specify what VLAN you wanted to monitor, is that correct?

Julio E. Moisa · ‎03-24-2017

Lol, Thank you my friend, your words are really appreciated, the learning time never ends. :-)

About the question, you are correct, usually we are forwarding every vlan through a trunk interface when no filtering or pruning is made on it (switchport trunk allowed vlan A,B,C). So, in order to avoid unnecessary traffic over the sniffer you can specify the vlans that you really want to monitor only.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

John Rener · ‎03-24-2017

Got it! Again thank you! At least using wshark would help me what addresses are communicating to and from host machines.

Now reading packets is a totally different ballgame for me I'm wayyyy far from able to understand that ^_^

Julio E. Moisa · ‎03-24-2017

Yeap, Wireshark is a powerful tool for sniffing.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<