The monitor was configured as shown below. I think I may have found the issue though.

Session 1
---------
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/2
Destination Ports: Fa0/12

Fa0/2 is where the device is that I am trying to monitor the traffic for and Fa0/12 is where the device is that I have my monitor device/capture software.

THE ISSUE:

The NIC of the capture device still had Client for MS Network, QoS Packet scheduler and IP turned on. Once I turned these off I started getting the info I expected.

Hello Dave,

Thank you very much for your reply and letting us know what was the real cause of your issue. I am also very thankful for your generous rating though I do not deserve it as I didn't help much.

Anyway, removing the protocols/drivers from the sniffing interface is an interesting solution. What packet sniffer were you using? Was it the Wireshark or some other network traffic analysis software?

It is my experience that under Windows, the Wireshark is not able to see all frames sent/received on a particular interface. For example, Wireshark does not see any IPsec packets sent and received by the Cisco VPN Client for Windows. This is probably due to some "higher-level" integration of the Winpcap library into the operating system so that it is actually unable to catch all packets travelling through an interface. It may be that your network sniffer had a similar problem. As far as sniffing goes, I have been very satisfied with running Wireshark under Linux. Windows have repeatedly proven to be unreliable here.

Best regards,

Peter

I was using wireshark and, although you didn't give me the answer, you did help...

I looked at the SPAN information and I was confident it was correct.

So I started looking at other possible areas and in the capture I noticed I was only receiving 1/2 the packets then I noticed I was receiving all the rx data and no tx data.

That's when I started thinking OK since you said it should work then it has to be something on the device so I started going through what I remembered about best practices for sniffing using windows and Network General, at the time (now NetScout), said it is best to disable all windows/IP options on your NIC when using the device to capture data. This lets windows focus on only capturing the data sent to the interface and voila.

Note... this is the same symptom for both Wireshark and NetScout Sniffer and in both cases resolved the problem.

For the Cisco VPN client thing I would recommend getting another machine and set up a span vs. trying to capture the data on the machine you are using to VPN. It should see all the data as long as you turn off all the IP and MS options on the NIC card (if you use windows). I have captured this using wireshark for a Nortel VON client before.

Regards,

Dave Jones

Engineering & IT Services

Corporate Network Infrastructure and Design

Bell Aliant

TEL (506)856-7419 Cell (506) 381-3831

Dave,

Thanks again for your reply. Following your mind process was very interesting! Regarding the Cisco VPN Client, I am of course aware that sniffing using a third-party device would do the trick.

This lets windows focus on only capturing the data sent to the interface
 and voila.

I would personally say that Windows are actually too focused on the captured data, and removing all IP settings and bindings from a capturing device actually prevents Windows from interfering with the capturing work

Best regards,

Peter