07-13-2012 08:54 AM - edited 03-07-2019 07:45 AM
Hello,
i have a question regarding monitoring a Trunk Port with the help of a local Span Session on a Catalyst 2960S Switch with Version 12.2(55)SE3.
The scenario looks like the following sheme:
SnifferPC(Wireshark) <-> Telephone(Siemens) <-> Switch(2960S)<-> LAN Distribution Layer
The telephone sends SIP Traffic over VLAN 13 to the Voice Gateway and communicates with Phones over VLAN 13 (RTP)
I am interessted to capture this traffic on the uplink Port of the Switch (Trunk Port) to the LAN Distribution Layer. For this reason, i configured this Local Span:
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi1/0/26
Destination Ports : Gi1/0/2
Encapsulation : Replicate
Ingress : Disabled
Gi1/0/26 is the uplink port to the distribution layer
Gi1/0/2 is the mirror port where the PC with wireshark in promiscous mode is listening.
My problem is, that i see all rtp,sip traffic on the whireshark pc, that is directly connected to the siemens phone. However, i do not see this traffic traversing the Uplink Port on the very same switch. I only see ARP Traffic in that VLAN from the Siemens Phone. I do not see SIP or RTP Traffic at all.
So, for that reason, i created a different Span Session that looks like these
Session 1
---------
Type : Local Session
Source VLANs :
Both : 13
Destination Ports : Gi1/0/2
Encapsulation : Replicate
Ingress : Disabled
Still the same, i can see Traffic RTP and Sip that is leaving the phone, but i see that traffic not on the mirror port, expect of ARP.
Only as additional information, the SIP and RTP is working probably, i am able to establish a valid phone call.
Can someone give me a hint, what i am doing wrong ?
07-14-2012 08:29 AM
hi,
use an other port of the switch2960 for span session destination, the switch of phone "block" your span session
Regards
V.
07-15-2012 02:44 PM
hi,
thank you for your answer. i do not get the clue. why should i choose another port ? The the phone is connected to Gi 1/0/1
on the siemens phone there is a lan port, where the pc with wireshark is attached. i see the traffic here.... when i try to monitor the uplink of the switch, which is gi1/0/26 i span the it to the destination gi 1/0/2.... how should the bridge in the phone block my lspan session of the uplink to another destination port ?
Best regards
Robert
07-16-2012 01:21 AM
Hi,
ok,
I was misled by the scheme,
well erase all config in Gi1/0/2
(any switchport command)
then:
monitor session 1 destination interface gigabitEthernet Gi1/0/2
whithout encapsulation
regards
V.
07-16-2012 10:53 AM
Hi,
i did it without any success. But guess what, i upgraded to 15.0.1 and i got data now... seems very strange....
best regards,
robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: