Only seeing broadcast traffic on cisco 3750 monitoring port

CiscoNewbie8878 · ‎02-19-2019

I am not a network engineer but I am the one stuck trying to get the port monitoring to work.

I have a switch with three regular ports and one monitoring port

port 1 is in vlan 100 and in connected to an external switch. There is an ACL for incoming traffic applied to this port

port 2 is in vlan 200 and is connected to a laptop for access to the network

port 3 is a server in vlan 200

port 12 is the monitoring port connected to a laptop with wireshark installed

port 12 is a trunk port foir vlan 1,100, 200

for security reasons all IPs were removed from vlan 1 (not sure if this is causing the problem)

monitor session 1 source vlan 100, 200

monitor session 1 destination interface gigabitethernet 1/0/12

balaji.bandi · ‎02-19-2019

can you post running config as below :

show run interface gigabitethernet 1/0/12

show monitor session

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoNewbie8878 · ‎02-19-2019

#show run interface gigabitethernet 1/0/12

Interface GigabitEthernet1/0/12

switchport trunk encapulation dot1q

switchport trunk allowed 1,100,200

switchport mode trunk

switchport nonegotiate

end

#show monitor session 1

Type local session

Source VLANs :

both : 100,200

Destination Ports : Gi1/0/12

Encapsulation : Native

ingress : Disabled

balaji.bandi · ‎02-19-2019

Do below steps : ( assuming that Interface GigabitEthernet1/0/12 is connected to Laptop running wire-shark as per your earlier post)

config t

!

default Interface GigabitEthernet1/0/12

!

end

Post the below output :

show monitor session

show run Interface GigabitEthernet1/0/12

show Interface GigabitEthernet1/0/12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎02-19-2019

I wonder if it would make any difference if you did the port monitor source as a single vlan instead of as 2 vlans?

I would also suggest trying the monitor session specifying the individual ports rather than specifying the vlans?

HTH

Rick

HTH

Rick

CiscoNewbie8878 · ‎02-19-2019

okay I set the monitoring port interface to the defaults and right now I'm just trying to monitor vlan 200. I have a tcping session running on my client laptop (port 2) and wireshark on the monitoring port (port 12). Still not seeing any TCP traffic being monitored

show run int gigabitethernet 1/0/12

interface GigabitEthernet1/0/12

end

show monitor session 1

Type : local session

source VLANs :

both : 200

destination : Gi1/0/12

Encapsulation : Native

ingress : Disabled

show int status:

Gi1/0/1 connected 100

Gi1/0/2 connected 200

Gi1/0/3 connected 200

Gi1/0/12 monitoring 1

balaji.bandi · ‎02-19-2019

If the device connected to Port gi 1/0/12 with Wireshark running you should able to see the traffic from VLAN 200.

what is the configruation of the PC/Laptop connected to port 1/0/12 ? do you configured any IP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoNewbie8878 · ‎02-19-2019

No ip address configured for the monitoring laptop

ipconfig just shows the bogus 169.254.x.x address

The windows network configuration for the local Area Connection:

Unchecked Client for Microsoft Networks

Unchecked QoS Packet Scheduler

Unchecked File and Print Sharing

Unchecked IPv6

Checked IPv4 (use DHCP is selected)

Checked Topology Discover Mapper I/O Driver

Checked Topology Discover responder

CiscoNewbie8878 · ‎02-19-2019

MISC setting on the switch. I don't know if any of these are preventing the monitoring of TCP traffic...

no service pad

service tcp-keepalives-in

no aaa new-model

switch 1 provision ws-3750

system mtu routing 1500

no ip source-route

ip routing

some crypto stuff...

crypto pki trustpoint

spanning-tree mode pvst

spanning-tree extend system.id

ip tcp synwait-time 10

some ntp setting

balaji.bandi · ‎02-19-2019

here is good example and tested working one for reference :

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/940-cisco-switches-span-monitoring.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoNewbie8878 · ‎02-19-2019

I tried monitoring just port 1, just port 2 and port 1-2. Still no luck.

both Gi1/0/1

Gi1/0/12

both Gi1/0/2

Gi1/0/12

both Gi1/0/1-2

Gi1/0/12

balaji.bandi · ‎02-19-2019

Just wondering, what are the devices connected to switch,.

What is the configuration of PC, can you post ethernet config screen shot and wireshart output to see what you getting.

since we can visualise what you see on your PC.

or upload Pcap file to ticket.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎02-20-2019

Thank you for trying monitoring individual ports. If Gig1/0/12 is the span monitoring port then no regular network traffic would be sent to it and there would be no point in trying to monitor it.

What about trying to monitor just Gig1/0/1?

And one other question. Gig1/0/12 is the monitoring port. Is that the port where the monitoring PC is connected?

HTH

Rick

HTH

Rick

CiscoNewbie8878 · ‎02-20-2019

I have tried just monitoring port 1/0/1 and yes the monitoring laptop is connected to port 1/0/12. I have configured the switch as best as I can and am leaving it to more experienced networking people here to figure out if it is working or not. If I find out what the issue is I will update this post.

Richard Burts · ‎02-20-2019

Thanks for the update. Would you post the output of show monitor session 1

HTH

Rick

HTH

Rick