Catalyst port mirroring

Discussion in 'Cisco' started by Alex Turtois, Jan 11, 2006.

  1. Alex Turtois

    Alex Turtois Guest

    HI All,

    What I'm trying to do is to have a pocket capture / traffic watcher
    application for network management, service usage measurements on our
    LAN. I'll want to know how many http, radius, ssl, smtp traffic is
    going on our network between my own hosts. All the equipment are
    connected to a catalyst 2950.

    Switched networks does not allow me to watch/capture traffic on all
    interfaces I'll need to use some type of solution that allows me to
    mirror all traffic to a specific port on the switch, so I'd attach a
    linux box on that port and will be able to see all traffic travelling
    to all our routers and servers - as if they all were connected to a
    HUB.

    I have heared about someone was counting traffic using the linux kernel
    ip_accounting fascility this way, but I'm not sure how to set up the
    switch ports for this solution.

    Anyone has experience with solutions like the above?

    TIA,
    Alex
     
    Alex Turtois, Jan 11, 2006
    #1
    1. Advertising

  2. Alex Turtois

    kemot Guest

    Alex,
    What you are looking for is SPAN or monitoring on a switchport. Here is
    little more information on it
    http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015c612.shtml

    If the port you want to monitor is fa0/1 and you would connect the
    sniffer (Ethereal or anythin like tcpdump) to fa0/15
    here are the basic commands:

    conf terminal
    monitor session 1 source interface fa0/1
    monitor session 1 destination interface fa0/15

    TK

    Alex Turtois wrote:
    > HI All,
    >
    > What I'm trying to do is to have a pocket capture / traffic watcher
    > application for network management, service usage measurements on our
    > LAN. I'll want to know how many http, radius, ssl, smtp traffic is
    > going on our network between my own hosts. All the equipment are
    > connected to a catalyst 2950.
    >
    > Switched networks does not allow me to watch/capture traffic on all
    > interfaces I'll need to use some type of solution that allows me to
    > mirror all traffic to a specific port on the switch, so I'd attach a
    > linux box on that port and will be able to see all traffic travelling
    > to all our routers and servers - as if they all were connected to a
    > HUB.
    >
    > I have heared about someone was counting traffic using the linux kernel
    > ip_accounting fascility this way, but I'm not sure how to set up the
    > switch ports for this solution.
    >
    > Anyone has experience with solutions like the above?
    >
    > TIA,
    > Alex
     
    kemot, Jan 11, 2006
    #2
    1. Advertising

  3. Alex Turtois

    zulu-1-three Guest

    Check out Cisco Netflow. See if your switch can do it.
     
    zulu-1-three, Jan 11, 2006
    #3
  4. Alex Turtois

    John Smith Guest

    if your switch doesn't support the monitor session syntax, you will need
    to do the following:
    interface FastEthernet0/x
    port monitor FastEthernet0/a
    port monitor FastEthernet0/b

    fa0/x is the port your sniffer is plugged into, 0/a and 0/b would be any
    ports u want to sniff.


    On Wed, 11 Jan 2006 09:22:41 -0800, kemot wrote:

    > Alex,
    > What you are looking for is SPAN or monitoring on a switchport. Here is
    > little more information on it
    > http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015c612.shtml
    >
    > If the port you want to monitor is fa0/1 and you would connect the
    > sniffer (Ethereal or anythin like tcpdump) to fa0/15
    > here are the basic commands:
    >
    > conf terminal
    > monitor session 1 source interface fa0/1
    > monitor session 1 destination interface fa0/15
    >
    > TK
    >
    > Alex Turtois wrote:
    >> HI All,
    >>
    >> What I'm trying to do is to have a pocket capture / traffic watcher
    >> application for network management, service usage measurements on our
    >> LAN. I'll want to know how many http, radius, ssl, smtp traffic is
    >> going on our network between my own hosts. All the equipment are
    >> connected to a catalyst 2950.
    >>
    >> Switched networks does not allow me to watch/capture traffic on all
    >> interfaces I'll need to use some type of solution that allows me to
    >> mirror all traffic to a specific port on the switch, so I'd attach a
    >> linux box on that port and will be able to see all traffic travelling
    >> to all our routers and servers - as if they all were connected to a
    >> HUB.
    >>
    >> I have heared about someone was counting traffic using the linux kernel
    >> ip_accounting fascility this way, but I'm not sure how to set up the
    >> switch ports for this solution.
    >>
    >> Anyone has experience with solutions like the above?
    >>
    >> TIA,
    >> Alex
     
    John Smith, Jan 12, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dalirahma

    Port Mirroring Command

    Dalirahma, Oct 21, 2003, in forum: Cisco
    Replies:
    1
    Views:
    5,896
    Terry Baranski
    Oct 21, 2003
  2. plc
    Replies:
    1
    Views:
    21,885
    M.C. van den Bovenkamp
    Apr 30, 2004
  3. Armin Kask

    Port mirroring

    Armin Kask, May 17, 2004, in forum: Cisco
    Replies:
    5
    Views:
    10,588
    Jeff C
    May 18, 2004
  4. Replies:
    2
    Views:
    18,466
    Gallwapa
    Oct 25, 2005
  5. Robeast
    Replies:
    2
    Views:
    680
    Arthur Brain
    Apr 24, 2007
Loading...

Share This Page