Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

Nexus 7010 span picking up multipal device unicast packets

alan.ambers
Level 1
Level 1

‎05-30-2013 02:34 PM - edited ‎03-07-2019 01:39 PM

I want to monitor our backup server (commvault) as it is saying it's library (Data Domain) is going off line.  I have set up monitoring like this:

swus7010Corea(config)# show mon ses all

     session 1

-----------------------------

type                              :   local

state                             :   up

source intf

        rx                           :   Eth2/11

        tx                           :   Eth2/11

        both                      :   Eth2/11

source VLANs

         rx                          :

         tx                          :

         both                     :

filter VLANs                 :   filter not specified

destation ports            :   Eth9/45

The issue is I am seeing a lot of unicast traffic (on Wireshark) that has nothing to do with the server on E2/11.  Some of it is from different VLANs

Does anybody have an idea of what is going on here.  There is way too much data (multi-Mbps) to keep wireshark running very long to capture our

intermitten problem.

Thanks!

/alan

Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎05-30-2013 03:31 PM

You get everything that is on the wire and it quickly becomes too much to look at.  You can setup filters to get what you need.

have a look at this link for filter examples:

http://www.thegeekstuff.com/2012/07/wireshark-filter/

HTH

0 Helpful

alan.ambers
Level 1
Level 1
In response to Reza Sharifi

‎06-03-2013 06:58 AM

Reza -

I did the filtering at the display level and it was still too much data.  I dug in to the capture filter and then got my data down to a manageable amount.  However, that ist still just Wireshark doing the work.

My original question is why is this span port getting all of this other *unicast* traffic that has nothing to do with the sourc port.  Why is that?

0 Helpful

mfurnival
Level 4
Level 4
In response to alan.ambers

‎06-03-2013 07:21 AM

You are probably better using a capture filter rather than a display filter. A display filter captures everything and then just shows you what you want to see, a capture filter just captures what you ask it to capture.

As to why you are seeing this unicast traffic - in your capture find a packet that you think should not be seen on this interface and verify the destination MAC address. Then on the switch do a "show mac-address table" (or whatever the equivalent is on NX-OS) and see if that MAC address is associated with that port. Could it be that the port is attached to some sort of virtualized platform so there are multiple "servers" on that port?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card