Wireshark Captures and port Mirroring

Discussion in 'Cisco' started by Mathias, Jul 8, 2009.

  1. Mathias

    Mathias Guest

    Hello

    I am trying to get capture of traffic on cisco switch port.
    I use a monitor session to do it and wireshark
    Unfortunatly, wireshark just give computer packets,not switch packets.

    How can i get siwth packet on my wireshark capture ?

    Thanks
     
    Mathias, Jul 8, 2009
    #1

    1. Advertisements

  2. Mathias

    Doug McIntyre Guest


    Sounds like you haven't properly setup a monitor session on the switch.
    Otherwise, sounds like you are doing what you need to do, you should
    see the results of all the traffic you are requesting a port mirror of
    inside Wireshark.
     
    Doug McIntyre, Jul 8, 2009
    #2

    1. Advertisements

  3. Mathias

    Mathias Guest

    Hello Doug,

    For example, the computer i want to monitor is on fa0/1. Computer where
    Wireshark is is on fa0/2

    I Just configure : monitor session 1 source int fa0/1
    and then monitor session 1 dest int fa0/2

    On Wireshak, I have the trafic that comes from the computer linked on fa0/1
    but not the trafic from the switch to the computer linked on fa0/1

    Thanks for help
     
    Mathias, Jul 8, 2009
    #3
  4. Mathias

    bod43 Guest

    My instant take on this is that the problem is that you
    are specifying "dest". This is *not* where to mirror the
    traffic to. It is saying that you only want to see traffic
    with the destination out of the port. Or maybe it is the other
    way round - I am sure you can work it out.

    If you just miss out the dest, I guess it will all spring to life.
    Or may be you need to use "source dest"?

    Post "sh monitor", or equivalent on your platform, for
    further advice. ("show span"?).
     
    bod43, Jul 9, 2009
    #4
  5. Mathias

    bod43 Guest

    Sorrry, ignore above nonsense.

    Post sh monitor, though please.
     
    bod43, Jul 9, 2009
    #5
  6. Mathias

    Mathias Guest

    bod43 wrote:
    Post sh monitor, though please.

    I Will as soon as i'll be at work... only 1 am here...

    But i think i have just not used the right method for catalyst 35xx series..

    I used conf t
    monitor session 1 source int fa xx/xx
    monitor session 1 dest int fa xx/xx

    And I just saw in cisco doc that I rather use
    conf t
    int faxx/xx (dest)
    port monitor fastethernet xx/00

    Will try it

    TY for advices
     
    Mathias, Jul 9, 2009
    #6
  7. Mathias

    mathias Guest

    Sh mon :

    Session 1
    ---------
    Type : Local Session
    Source Ports :
    Both : Fa0/26
    Destination Ports : Fa0/3
    Encapsulation : Native
    Ingress : Disabled

    Commands i plan tu use are not the one for my switch (Cisco 3560 48ps)...

    Will search again...
     
    mathias, Jul 9, 2009
    #7
  8. Mathias

    mathias Guest

    Here below is _working_ config:
    TY Will try as soon as possible.

    Yet I thought that monitoring session permit to catch all trafic, with or
    without vlan...
     
    mathias, Jul 10, 2009
    #8

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Port Mirroring Command

  2. Port mirroring on a cisco 2950

  3. Port mirroring

  4. port mirroring on cisco 2970

  5. Port mirroring in HP 2626-pwr 24 port switch

  6. Catalyst port mirroring

  7. port mirroring on 2950 and potential impact on performance

  8. https using wireshark

Loading...