Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
0
Helpful
4
Replies

SPAN configuration for a specific protocol

stam_heshbon
Level 1
Level 1

‎10-12-2010 10:10 AM - edited ‎03-06-2019 01:28 PM

The routers we are using are Cisco 6500's with 720-3BXL Sup engines. 

I have a network in which I'd like to watch only a specific protocol, in this example SMTP traffic. I'd like to see all traffic going to and from port 25 (to monitor all outgoing email regardless of who the MTA is, so it is not fropm a specific known IP address).

Since most the traffic on the network is not related to the protocol I am looking to follow/monitor it'd be useful to set the SPAN to only provide me with traffic destined to port 25 (which would be 2-3% of total traffic).

How do I go about configuring the Router?

Thanks,

Sam

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎10-12-2010 10:29 AM

Sam

As far as i am aware you cannot do this because SPAN does not actually look into the packets, it merely sends a copy of the packet to a destination port.

If you want to monitor only smtp traffic then you would be better off looking at Netflow rather than SPAN. However if you need to see inside the actual packets you will have to use SPAN and send all traffic and then analyse with a protocol analyser such as wireshark. Wireshark will allow you to set filtes based on TCP/UDP ports so it would only show you what you wanted to see.

Jon

0 Helpful

stam_heshbon
Level 1
Level 1
In response to Jon Marshall

‎10-12-2010 12:34 PM

Thanks.

If I am already going to through at this massive amounts of HW I might as well look into the right thing. What would you recomend as the "port mirroring" technology of choice to get a copy of SMTP. As it is a fraction of the general traffic it seems wrong to try SPAN and filter it on a huge server. I'd expect a network device could forward a copy of a specific pattern with ease, but which would it be?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stam_heshbon

‎10-12-2010 12:43 PM 

stam_heshbon wrote:
Thanks.
If I am already going to through at this massive amounts of HW I might as well look into the right thing. What would you recomend as the "port mirroring" technology of choice to get a copy of SMTP. As it is a fraction of the general traffic it seems wrong to try SPAN and filter it on a huge server. I'd expect a network device could forward a copy of a specific pattern with ease, but which would it be?


Stam

Sorry, i completely forgot about the use of VACLs to capture specific traffic. Have a look at this link and see if it helps -

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080883ca2.shtml

Once again, apologies for that.

Jon

0 Helpful

stam_heshbon
Level 1
Level 1
In response to Jon Marshall

‎10-15-2010 05:38 AM

Thanks, looks like it could do the trick. I'll have a try.

0 Helpful
Customers Also Viewed These Support Documents