Solved: SPAN Not Capturing Packets

JaxIsland75 · ‎09-03-2019

My objective is to have port 17 mirror port 23 so I can use a laptop with Wireshark to see all the traffic on that port. I have not done this on a Cisco device before and I am using a 3560 v12.2(44)SE5. Using the below setup I see no traffic on the laptop connected to port 17. I have constant traffic being sent back and forth on port 23 and I can monitor the quantity with PRTG so I know there is data flowing through that port.

Here is what I have done:

3560G(config)#monitor session 1 source interface gigabitEthernet 0/23 both

3560G(config)#monitor session 1 destination interface gigabitEthernet 0/17

Here is more information:

Session 1
---------
Type                   : Local Session
Description            : -
Source Ports           : 
    RX Only            : None
    TX Only            : None
    Both               : Gi0/23
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source RSPAN VLAN      : None
Destination Ports      : Gi0/17
    Encapsulation      : Native
          Ingress      : Disabled
Filter VLANs           : None
Dest RSPAN VLAN        : None

!
interface GigabitEthernet0/17
 description Mirror_Port_23
 switchport access vlan 8
 spanning-tree portfast
!

GigabitEthernet0/17 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 6416.8daa.f711 (bia 6416.8daa.f711)
Description: Mirror_Port_23
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported 
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:18:30, output 00:08:21, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 25000 bits/sec, 2 packets/sec
157301 packets input, 24296435 bytes, 0 no buffer
Received 4580 broadcasts (3880 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 3880 multicast, 0 pause input
0 input packets with dribble condition detected
360604 packets output, 260094573 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

!
interface GigabitEthernet0/23
 description Needs to be monitored
 switchport access vlan 2
 speed 100
 duplex full
!
GigabitEthernet0/23 is up, line protocol is up (connected) 
Hardware is Gigabit Ethernet, address is 6416.8daa.f717 (bia 6416.8daa.f717)
Description: Needs to be monitored
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported 
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 4000 bits/sec, 2 packets/sec
5 minute output rate 29000 bits/sec, 6 packets/sec
60371608 packets input, 6242172910 bytes, 0 no buffer
Received 570609 broadcasts (570467 multicasts)
0 runts, 0 giants, 0 throttles
1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 570467 multicast, 0 pause input
0 input packets with dribble condition detected
80487954 packets output, 96000984160 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

Giuseppe Larosa · ‎09-03-2019

Hello JaxIsland75,

the span configuration is fine.

All the show commands are fine and the source and destination port are in different Vlans.

>>

GigabitEthernet0/17 is up, line protocol is down (monitoring)

This is correct too on the destination port.

The port is sending out some frames

>>

5 minute output rate 25000 bits/sec, 2 packets/sec

You source interface has option both meaning mirroring both TX and RX traffic

5 minute input rate 4000 bits/sec, 2 packets/sec
5 minute output rate 29000 bits/sec, 6 packets/sec

Now, the question is what do you see in your packet capture ?

If you see no frames captured you may have issues with wireshark installation (older wireshark versions use WinPCAP, new versions use NCAP, without these libraries installed you cannot capture)

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎09-03-2019