SPAN session not detecting any SSH session - 2960XR

cHrome08 · ‎01-10-2021

Hey Guys,

I would like to ask for advise from the community.
I recently detect that there has been some SSH attempts on our server and would like to identify the culprit IP address.
I decided to go with the SPAN configuration and put a laptop with wireshark on it.
The attack happens between 3 am to 7 am in the morning.

Now, this is where I dont quite understand the issue where I am facing.
I am able to see logs on the wireshark.
Whenever I try to ping or access the server via https, I am able to see traffic logs on the wireshark.

I conclude with these, that my SPAN configuration (not RSPAN) is working fine because I am able to see something accessing the traffic.

But when I try to SSH to the device, I am not able to see any output on the wireshark.
Even with filters like tcp.port == 22 or just SSH in the filter doesn't have any output.
But I am able to login to the server via SSH just fine, but with no output on wireshark.

I tried multiple "source" for the monitoring configuration, be it vlan 50 or port-channel 1 but the output is the same.
When I try to SSH the switch (where the wireshark is connected to and the SVI is on vlan 50), I am also not able to see any output of SSH.

So the issue here is, am I configuring it wrongly because I am not able to see SSH traffic but ICMP and HTTPS traffic can be seen in the wireshark logs.

Configuration for my monitoring sessions are...

monitor session 1 source interface Po1 (or even vlan 50)
monitor session 1 destination interface Gi1/0/48

There is no much traffic on this switch apart from vlan 50 and vlan 15 and there is no uplink apart from Po1.
Thank you.

cHrome08 · ‎01-10-2021

Session 1
---------
Type : Local Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : Po1
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
IP Access-group : None
MAC Access-group : None
IPv6 Access-group : None

Georg Pauwen · ‎01-10-2021

Hello,

SSH is typically directed at the management IP address of the switch. Which IP address is that, is it configured on Vlan interface 50 ?

cHrome08 · ‎01-10-2021

Hi Georg,

I tested SSH to the Linux server as well as to the switch (via putty) and though both is successfull (i.e. putting is asking to put in the credentials to login), I am not able to see any attempts on the wireshark.

I do not have the same issue if I were to access the Linux server via web (https), I was able to see the logs in wireshark.
Vlan50 IP is 10.19.0.236 and the Linux Server is 10.19.0.207 (/25 subnet mask).

Thank you.

Regards

Han

balaji.bandi · ‎01-10-2021

we want to see more on the config of your port-channel 1 and interface config of gi1/0/48

show monitor

from what IP address you doing SSH ? to test ?

what is this server ? Linux or windows ?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-0_2_EX1/network_management/configuration_guide/b_nm_15ex1_2960-xr_cg/b_nm_15ex1_2960-xr_cg_chapter_0111.html#reference_5323577C93FF44B48D6EE79AAFC6724F

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cHrome08 · ‎01-10-2021

show run int gi1/0/48
Building configuration...

Current configuration : 68 bytes
!
interface GigabitEthernet1/0/48
description :: WIRESHARK ::
end

show run int po1
Building configuration...

Current configuration : 119 bytes
!
interface Port-channel1
description To Nexus-9K
switchport trunk allowed vlan 15,40,50
switchport mode trunk
end

show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Po1
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled

I believe the servers are a Linux server and the L3 for the vlan 50 resides in the Nexus (its uplink).
I am trying to access via the IP 10.19.163.220 which is not within vlan 50 (10.19.0.128/25).