Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2083
Views
0
Helpful
4
Replies

Local Span Port Troubleshooting Issue

Robert Singer
Level 1
Level 1

‎07-13-2012 08:54 AM - edited ‎03-07-2019 07:45 AM

Hello,

i have a question regarding monitoring a Trunk Port with the help of a local Span Session on a Catalyst 2960S Switch with Version 12.2(55)SE3.

The scenario looks like the following sheme:

SnifferPC(Wireshark) <-> Telephone(Siemens) <-> Switch(2960S)<-> LAN Distribution Layer

The telephone sends SIP Traffic over VLAN 13 to the Voice Gateway and communicates with Phones over VLAN 13 (RTP)

I am interessted to capture this traffic on the uplink Port of the Switch (Trunk Port) to the LAN Distribution Layer. For this reason, i configured this Local Span:

Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi1/0/26
Destination Ports      : Gi1/0/2
    Encapsulation      : Replicate
          Ingress      : Disabled

Gi1/0/26 is the uplink port to the distribution layer

Gi1/0/2 is the mirror port where the PC with wireshark in promiscous mode is listening.

My problem is, that i see all rtp,sip traffic on the whireshark pc, that is directly connected to the siemens phone. However, i do not see this traffic traversing the Uplink Port on the very same switch. I only see ARP Traffic in that VLAN from the Siemens Phone. I do not see SIP or RTP Traffic at all.

So, for that reason, i created a different Span Session that looks like these

Session 1

---------

Type                   : Local Session

Source VLANs           :

    Both               : 13

Destination Ports      : Gi1/0/2

    Encapsulation      : Replicate

          Ingress      : Disabled

Still the same, i can see Traffic RTP and Sip that is leaving the phone, but i see that traffic not on the mirror port, expect of ARP.

Only as additional information, the SIP and RTP is working probably, i am able to establish a valid phone call.

Can someone give me a hint, what i am doing wrong ?

Labels:
0 Helpful
4 Replies 4

Vincenzo Errante
Level 1
Level 1

‎07-14-2012 08:29 AM

hi,

use an other port of the switch2960  for span session destination, the switch of phone "block" your span session

Regards

V.

0 Helpful

Robert Singer
Level 1
Level 1
In response to Vincenzo Errante

‎07-15-2012 02:44 PM

hi,

thank you for your answer. i do not get the clue. why should i choose another port ? The the phone is connected to Gi 1/0/1

on the siemens phone there is a lan port, where the pc with wireshark is attached. i see the traffic here.... when i try to monitor the uplink of the switch, which is gi1/0/26 i span the it to the destination gi 1/0/2.... how should the bridge in the phone block my lspan session of the uplink to another destination port ?

Best regards

Robert

0 Helpful

Vincenzo Errante
Level 1
Level 1
In response to Robert Singer

‎07-16-2012 01:21 AM

Hi,

ok,

I was misled by the scheme,

well erase all config in Gi1/0/2

(any switchport command)

then:

monitor session 1 destination interface gigabitEthernet Gi1/0/2

whithout encapsulation

regards

V.

0 Helpful

Robert Singer
Level 1
Level 1
In response to Vincenzo Errante

‎07-16-2012 10:53 AM

Hi,

i did it without any success. But guess what, i upgraded to 15.0.1 and i got data now... seems very strange....

best regards,

robert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card