Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sniffer

Status
Not open for further replies.

RNF0528

MIS
Apr 4, 2006
115
US
I have installed a network sniffer and i have also configured a port on my core but I think something is not set up correctly I am not gettting traffic from from some IP`s on the network. Here is what i have on the core and other switches

CORE:
!
monitor session 1 source vlan 1
monitor session 1 destination interface Fa6/36

All my other switches:
!
monitor session 1 source interface Gi0/1 rx
monitor session 1 source interface Gi0/2

Any help with this would be greatly appreciated!
 
they way you have this setup, you will only capture the packets sourced/destined across vlan1.
 
How should i set this up if i want all traffic?

Do i need to set the destination on the other switches?

From what i was reading I just assumed to set the destination on the port the sniffer was connected to. is that wrong?
 
The destination is the port you want the sniffer on. But the way you have this setup, you will not be capturing anything from the other switches. You will only capture traffic that crosses vlan1 at the core.
 
What VLANs are you using across your network?

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
My main question is why do you want to capture all traffic? Trying to capture all traffic on the network, is more than likely going to overload the buffer on your sniffer, and you'll end up dropping packets.

If it were me, I wouldn't monitor the vlans, as much as the trunk links. But again, you won't capture the traffic that stays within an edge switch.
 
I would like VLAN 1, 72, 73, 80.

Can i configure some switches for trunks and others for vlan?
Will the core allow it?

This may sound funny but i have applications that are on there own switch and would like that traffic that only stays on it, but all the other switches i can go with only the trunks.
 
i would probably set up 2 monitor ports... 1 for VLAN 1 and 72 and another for VLAN's 73 and 80... that way you take less of a chance of overloading the buffers...

Just set up a monitor session 1 and 2 on your core and you can put the source for upto 4 VLAN's if i remember right.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
OK, Sounds like thats a pretty good idea. I was just testing vlan 1 and i am not getting all the traffic from vlan 1. Once I can see at least all my traffic then i will go with you recomendation.

Do you thin i need to make any changes to my config on the switches?
 
You will need to setup rSpan on the remote switches. They will not forward traffic across the trunk if the source and destination are on the same switch.

Be careful with this because you can flood the trunks and lose packets.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top