Solved: Re: monitor session [rx] [tx]

mlopacinski · ‎06-15-2011

Hello

Switch have 4 access ports with vlan 12, and 4 trunks with vlan 12. What is the difference between:

monitor session 1 source vlan 12 rx

monitor session 1 source vlan 12 tx

The switch always receives traffic on one port and transmits on other. Does that mean that if i use "both" i will double all the packets ?

Thanx

Antonio Knox · ‎06-16-2011

My apologies about my previous response.

Let me answer your questions:

You are correct. Tx & Rx will essentially give you the same thing, so for monitoring the vlan
See #1
You are correct, traffic will be doubled.
Just as a note here, you only want to use the trunk for traffic between hosts on the switch you configure and hosts on a different switch in the same vlan. Now, for the tx, rx or both selection I would say use the "both" option, because this is now a trunk (physical) port that you are dealing with, not a vlan.*

*NOTE: Also, for best results, you can filter vlan 12 on the trunk monitor session. This is good for when you ONLY want to monitor specific vlan traffic between switches because you will not be able to use the filter AND add the vlan as a source at the same time.

Otherwise, I would recommend 'monitor session 1 vlan 12 tx' for simplicity. You could do "rx" which would yield the same traffic or use "both" which would send duplicates.

I am unclear about this:

4. @Antonio, you wrote: "tx is traffic out to host(s) rx is traffic from host(s)". What if i have two trunk ports with vlan 12. The packet is received on one trunk port and is transmitted to second trunk port (the same packet, without any modification). What kind of traffic is this ? tx ? rx? both ?

If the traffic was received on one port but transmitted out another, that sounds like a switching loop. Did you mention this just for the sake of clarity or is this what you are working with?

View solution in original post

Edison Ortiz · ‎06-15-2011

There are potential for duplicates when using 'both' option with SPAN. However, most network analyzers are able to isolate these duplicate conditions.

mlopacinski · ‎06-15-2011

what if incoming stream is 70Mbit/s on fastethernet and i "double" traffic using "both" option ?

Will it use RED for random drop ?

Antonio Knox · ‎06-15-2011

In reference to vlan 12

rx is for monitoring vlan 12 receive traffic

tx is for monitoring vlan 12 transmit traffic

use these to differentiate traffic.

mlopacinski · ‎06-15-2011

Still do not understeand this. Antonio:

who is receiver and who is transmitter for "receive traffic" option ?

who is receiver and who is transmitter for "transmit traffic" option ?

if i receive traffic on access-port and need to send to thru three trunk ports could you describe what will be rx traffic and tx traffic ?

(sorry for bold font, can't disable it)

Antonio Knox · ‎06-15-2011

tx is traffic out to host(s)

rx is traffic from host(s)

mlopacinski · ‎06-15-2011

hmm, that does not make sense. What is "host(s)" ? Switch does not know what is "host(s)". Maybe you mean "access port" - but this also does not make sense. Every unicast packet on switch is received and transmitted at the same time ! Simple example:

int fa0/1

switchport mode access

switchport access vlan 12 #PC1

int fa0/2

switchport mode access

switchport access vlan 12 #PC2

monitor session source vlan 12 rx

monitor session destination interface fa0/3

PC1 send unicast packet to PC2. Packet from PC1 is received on fa0/1 and is transmitted to fa0/2.

1. Will this packet be captured by above configuration ?

2. The same packet, but configuration with "monitor session source vlan 12 tx". Will this packet be captured ?

3. The same packet, but configuration with "monitor session source vlan 12 both". What will be captured ?

4. @Antonio, you wrote: "tx is traffic out to host(s) rx is traffic from host(s)". What if i have two trunk ports with vlan 12. The packet is received on one trunk port and is transmitted to second trunk port (the same packet, without any modification). What kind of traffic is this ? tx ? rx? both ?

The problem is only for vlans, because for monitoring physical interfaces tx, rx and both options ale clear - and make sense.

Antonio Knox · ‎06-16-2011

I'm stating this as simply as I can, it's really not that complicated. Let's say, using a very basic example, that you have a couple of ports to monitor

Gig0/1 <-----------> Host connected to Gig0/1

Gig0/2 <-----------> Host connected to Gig0/2

We are monitoring communications on these ports. Here's the difference (put as simply as possible).

This is rx (ingress) traffic

Gig0/1 <----------- Host connected to Gig0/1

Gig0/2 <----------- Host connected to Gig0/2

This is tx (egress) traffic

Gig0/1 -----------> Host connected to Gig0/1

Gig0/2 -----------> Host connected to Gig0/2

Hope this makes sense. Same concept applies to vlans tx is ingress traffic sourced from hosts in a vlan, rx is egress traffic destined to a host in a vlan. If the concept is cloudy, it doesn't look at:

http://www.colasoft.com/resources/span.pdf

and look for the "Traffic Types" section. Do not confuse the concept, SPANs are not about communications between two hosts, it is about communications from the perspective of the interface or vlan.

mlopacinski · ‎06-16-2011

You still give examples with physical interfaces - but it's clear - the problem is in vlans.

You still do not want to answer my four questions, so i will try to do it:

1-2. both tx and rx will give exactly same results (if switch do not change the packet)

3. There will be 2 packets sniffed (traffic will be doubled)

4.

From documentation:

"Trunk interfaces are included as source interfaces for VLAN-based SPAN sessions."

Does this mean that in this case i will sniff traffic only with "rx" or "both" but not "tx" ?

Could you acknowledge ?

Antonio Knox · ‎06-16-2011

My apologies about my previous response.

Let me answer your questions:

You are correct. Tx & Rx will essentially give you the same thing, so for monitoring the vlan
See #1
You are correct, traffic will be doubled.
Just as a note here, you only want to use the trunk for traffic between hosts on the switch you configure and hosts on a different switch in the same vlan. Now, for the tx, rx or both selection I would say use the "both" option, because this is now a trunk (physical) port that you are dealing with, not a vlan.*

*NOTE: Also, for best results, you can filter vlan 12 on the trunk monitor session. This is good for when you ONLY want to monitor specific vlan traffic between switches because you will not be able to use the filter AND add the vlan as a source at the same time.

Otherwise, I would recommend 'monitor session 1 vlan 12 tx' for simplicity. You could do "rx" which would yield the same traffic or use "both" which would send duplicates.

I am unclear about this:

4. @Antonio, you wrote: "tx is traffic out to host(s) rx is traffic from host(s)". What if i have two trunk ports with vlan 12. The packet is received on one trunk port and is transmitted to second trunk port (the same packet, without any modification). What kind of traffic is this ? tx ? rx? both ?

If the traffic was received on one port but transmitted out another, that sounds like a switching loop. Did you mention this just for the sake of clarity or is this what you are working with?

mlopacinski · ‎06-17-2011

Antonio: thanx for help and patience

Now it's clear for me.

4. I mean typical trunk scenario for transit traffic, it's clear for me now,

Thanx!

Wilson Davis · ‎08-24-2011

Hi, I found this thread doing a search for a question I have about the rx vs tx.

Let's say I am doing a ping from host1 to host2.

Host1 ---ping sent----> G0/1 (switch) ------> G0/10 ----connected to ASA in bridge mode ----> (ASA) -----> G0/11 (switch) -----> (router) ----(cloud)---> Host2

Appolgies for the crude diagram. I am doing a monitor session on the switch looking at rx only on G0/10. I was expecting to only see the ICMP reply (return traffic as that is what would be received on port 10 from the ASA) however, I only see the ICMP request. To elaborate on your drawing a bit...

This is rx (ingress) traffic

Another port on the switch -------> Gig0/1 <----------- Host connected to Gig0/1

Would the arrow I added also be considered ingress traffic? If that is the case, it explains why I see the request because it would arrive at G0/10 first before being transmitted onto the ASA. Which brings me to my next question, why would not see the ICMP reply as well as it would be recieved on G0/10? Hope this makes sense. Thanks in advance.