06-15-2011 02:48 PM - edited 03-07-2019 12:50 AM
Hello All,
I have been experimenting with RSPAN for a project. I have majority of it setup and I can see traffic from the source vlan to the destination port. Only problem is that wireshark is only picking up packets sourced from the source vlan 2396 to the destination.
Example: I am ssh'ing to a server from a remote pc. And wireshark is only capturing packets from the server to the pc and not pc to server.
Can anyone figure out my configuration error?
Let me start by giving you my setup currently.
I have two 6509s connected via a ten gig link.
On 6509-1
===========
I have a vlan 2396 which I will be sniffing traffic on.
I have set up a RSPAN vlan which is 590. I also have added the vlan to the ten gig trunk. Config is below.
vlan 590
name RSPAN-vlan-test
remote-span
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,373-376,560,562,573-576,590,1040,1041,1129
switchport trunk allowed vlan add 1148,1149,1166,1167,1176,1177,2325,2326,2395
switchport trunk allowed vlan add 2396,2830,2831,2840-2847,3100-3106,3111-3113
switchport trunk allowed vlan add 3142-3147,3458-3465,3494,3495,3595,3799,3800
switchport trunk allowed vlan add 3899,3974,3975,3980,4001,4009,4014-4016,4048
switchport trunk allowed vlan add 4080,4081
switchport mode trunk
switchport nonegotiate
mtu 9216
mls qos trust dscp
I have set up the monitor session
monitor session 4 source vlan 2396
monitor session 4 destination remote vlan 590
Additional information
Session 4
---------
Type : Remote Source Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : None
Source VLANs :
RX Only : None
TX Only : None
Both : 2396
Source RSPAN VLAN : None
Destination Ports : None
Filter VLANs : None
Dest RSPAN VLAN : 590
Source IP Address : None
Source IP VRF : None
Source ERSPAN ID : None
Destination IP Address : None
Destination IP VRF : None
Destination ERSPAN ID : None
Origin IP Address : None
IP QOS PREC : 0
IP TTL : 255
Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Centralized (default)
On 6509-2
============
I have attached a sniffer (Wireshark) to a port on the 2nd 6509. Below is the config.
monitor session 2 destination interface Gi4/14
monitor session 2 source remote vlan 590
Session 2
---------
Type : Remote Destination Session
Source RSPAN VLAN : 590
Destination Ports : Gi4/14
Thank you in advance for your help.
Kal.
06-16-2011 06:04 AM
Hi!
In which vlan is the server and in which the PC?
Is the server in vlan 2396 and Pc in other vlan?
Regards.
06-16-2011 01:13 PM
Server is in vlan 2396 and PC initating a ssh connection is in another vlan.
I have tried multiple configuration:
monitor session 4 source vlan 2396 both
monitor session 4 source int gi 4/14 both
monitor session 4 source ten 3/1 both
monitor session 4 filter 2396
06-16-2011 01:48 PM
Hi,
I ran into this problem of only capturing traffic in one direction. At the time, I was using my own laptop, running Wireshark, but the laptop also had some VPN software installed that affected my TCP/IP stack .... resulting in one way captures. As soon as the VPN software was disabled, captured packets were now showing both directions.
I would suggest reviewing if you may have some software enabled that could be interferring with your TCP/IP stack on the laptop or PC you are using.
HTH,
Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: