07-13-2012 08:54 AM - edited 03-07-2019 07:45 AM
Hello,
i have a question regarding monitoring a Trunk Port with the help of a local Span Session on a Catalyst 2960S Switch with Version 12.2(55)SE3.
The scenario looks like the following sheme:
SnifferPC(Wireshark) <-> Telephone(Siemens) <-> Switch(2960S)<-> LAN Distribution Layer
The telephone sends SIP Traffic over VLAN 13 to the Voice Gateway and communicates with Phones over VLAN 13 (RTP)
I am interessted to capture this traffic on the uplink Port of the Switch (Trunk Port) to the LAN Distribution Layer. For this reason, i configured this Local Span:
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi1/0/26
Destination Ports : Gi1/0/2
Encapsulation : Replicate
Ingress : Disabled
Gi1/0/26 is the uplink port to the distribution layer
Gi1/0/2 is the mirror port where the PC with wireshark in promiscous mode is listening.
My problem is, that i see all rtp,sip traffic on the whireshark pc, that is directly connected to the siemens phone. However, i do not see this traffic traversing the Uplink Port on the very same switch. I only see ARP Traffic in that VLAN from the Siemens Phone. I do not see SIP or RTP Traffic at all.
So, for that reason, i created a different Span Session that looks like these
Session 1
---------
Type : Local Session
Source VLANs :
Both : 13
Destination Ports : Gi1/0/2
Encapsulation : Replicate
Ingress : Disabled
Still the same, i can see Traffic RTP and Sip that is leaving the phone, but i see that traffic not on the mirror port, expect of ARP.
Only as additional information, the SIP and RTP is working probably, i am able to establish a valid phone call.
Can someone give me a hint, what i am doing wrong ?
07-14-2012 08:29 AM
hi,
use an other port of the switch2960 for span session destination, the switch of phone "block" your span session
Regards
V.
07-15-2012 02:44 PM
hi,
thank you for your answer. i do not get the clue. why should i choose another port ? The the phone is connected to Gi 1/0/1
on the siemens phone there is a lan port, where the pc with wireshark is attached. i see the traffic here.... when i try to monitor the uplink of the switch, which is gi1/0/26 i span the it to the destination gi 1/0/2.... how should the bridge in the phone block my lspan session of the uplink to another destination port ?
Best regards
Robert
07-16-2012 01:21 AM
Hi,
ok,
I was misled by the scheme,
well erase all config in Gi1/0/2
(any switchport command)
then:
monitor session 1 destination interface gigabitEthernet Gi1/0/2
whithout encapsulation
regards
V.
07-16-2012 10:53 AM
Hi,
i did it without any success. But guess what, i upgraded to 15.0.1 and i got data now... seems very strange....
best regards,
robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide