06-12-2010 05:11 AM - edited 03-06-2019 11:33 AM
Hi
Fairly easy question on SPAN/RSPAN.
I run an application server, App1 on Server1, that is experiencing errors because it seems to dropping the connection to a vendor server on the internet.
I figured I would run Wireshark on the server to figure out what was going wrong, unfortunately we are not really allowed to installed new s/w on live servers.
I've heard that there is a feature of Cisco switches named SPAN where all in/out data on a switchport can be copied over to another. So basically, I can install Wireshark on my PC at work to run Wireshark on, and set up SPAN to copy in/out data on the server's switchport to mine?
Since my PC and the Server1 are on different switches (in fact, different locations connected via a 1 GB WAN Link) we'd actually have to run RSPAN?
My worry is about the level of data going to my PC. There is a good link between the location of my PC and the Server1, but does RSPAN basically copy *all* of the data to the other switch, or is it more efficient than this?
Any help appreciated!
Solved! Go to Solution.
06-12-2010 05:20 AM
Hi
You are correct, you would need to use RSPAN in that scenario.
The switch will indeed copy all data from the source port, it can do filtering based on a few basic parameters such as VLAN, but typically you'd want all traffic anyway
The alternative to RSPAN (if you are concerned about bandwidth impact) would be to set up SPAN locally on the switch (config would also be simpler) and just plug a laptop or something running wireshark into the destination SPAN port that you configure on that switch. You can do the capture and analyse the data later, or you can use the 'ingress' keyword when configuring the destination line of the SPAN config to allow the machine running Wireshark to still participate on the network.
In that last setup, you could then use Remote Desktop, VNC or some other desktop sharing app (MeetingPlace, webex or logmein) to access the Wireshark PC remotely to see the data.
Regards
Aaron
Please rate helpful posts...
06-12-2010 05:20 AM
Hi
You are correct, you would need to use RSPAN in that scenario.
The switch will indeed copy all data from the source port, it can do filtering based on a few basic parameters such as VLAN, but typically you'd want all traffic anyway
The alternative to RSPAN (if you are concerned about bandwidth impact) would be to set up SPAN locally on the switch (config would also be simpler) and just plug a laptop or something running wireshark into the destination SPAN port that you configure on that switch. You can do the capture and analyse the data later, or you can use the 'ingress' keyword when configuring the destination line of the SPAN config to allow the machine running Wireshark to still participate on the network.
In that last setup, you could then use Remote Desktop, VNC or some other desktop sharing app (MeetingPlace, webex or logmein) to access the Wireshark PC remotely to see the data.
Regards
Aaron
Please rate helpful posts...
06-12-2010 05:27 AM
Thanks Aaron for the prompt reply, much appreciated.
I had a couple of further follow up questions if you didn't mind:
- Is RSPAN typically used over WAN connections?
- Good point about setting up SPAN to a local port on Server1's switch and then connecting a laptop to that port. I have never actually used SPAN/RSPAN with Wireshark before (I've always tended to use Wireshark installed locally on the server itself)....let's say I did have Wireshark installed on a laptop and used the scenario above, is there anything special I need to confiure on Wireshark to tell it to pick up the SPAN'd traffic relating to the server as opposed to any traffic for itself?
Thanks again.
06-12-2010 05:34 AM
Hi
- RSPAN is very rarely used over anything other than a LAN - not just due to bandwidth restraints, but also because it's implemented using specially configured VLANs, and the VLANs don't generally go over WANs. If you are extended the LAN over long distances using LAN-type WAN technologies then you could use it, but generally you'd avoid it.
- No special Wireshark config needed, usually. Some NICs don't support promiscuous capture (picking up packets not address to the Wireshark NIC itself) but this is increasingly rare.
Regards
Aaron
Please rate helpful posts and mark answered questions that you've got a satisfactory response from to help identify useful content in the forums...
https://supportforums.cisco.com/docs/DOC-6212
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide