Wireshark Captures and port Mirroring

Hello

I am trying to get capture of traffic on cisco switch port. I use a monitor session to do it and wireshark Unfortunatly, wireshark just give computer packets,not switch packets.

How can i get siwth packet on my wireshark capture ?

Thanks

Reply to
Mathias
Loading thread data ...

Sounds like you haven't properly setup a monitor session on the switch. Otherwise, sounds like you are doing what you need to do, you should see the results of all the traffic you are requesting a port mirror of inside Wireshark.

Reply to
Doug McIntyre

Hello Doug,

For example, the computer i want to monitor is on fa0/1. Computer where Wireshark is is on fa0/2

I Just configure : monitor session 1 source int fa0/1 and then monitor session 1 dest int fa0/2

On Wireshak, I have the trafic that comes from the computer linked on fa0/1 but not the trafic from the switch to the computer linked on fa0/1

Thanks for help

Reply to
Mathias

My instant take on this is that the problem is that you are specifying "dest". This is *not* where to mirror the traffic to. It is saying that you only want to see traffic with the destination out of the port. Or maybe it is the other way round - I am sure you can work it out.

If you just miss out the dest, I guess it will all spring to life. Or may be you need to use "source dest"?

Post "sh monitor", or equivalent on your platform, for further advice. ("show span"?).

Reply to
bod43

Sorrry, ignore above nonsense.

Post sh monitor, though please.

Reply to
bod43

bod43 wrote: Post sh monitor, though please.

I Will as soon as i'll be at work... only 1 am here...

But i think i have just not used the right method for catalyst 35xx series..

I used conf t monitor session 1 source int fa xx/xx monitor session 1 dest int fa xx/xx

And I just saw in cisco doc that I rather use conf t int faxx/xx (dest) port monitor fastethernet xx/00

Will try it

TY for advices

Reply to
Mathias

Mathias wrote in news:4a552c01$0$294$ snipped-for-privacy@news.club-internet.fr:

Sh mon :

Session 1

--------- Type : Local Session Source Ports : Both : Fa0/26 Destination Ports : Fa0/3 Encapsulation : Native Ingress : Disabled

Commands i plan tu use are not the one for my switch (Cisco 3560 48ps)...

Will search again...

Reply to
mathias

U¿ytkownik "mathias" napisa³ w wiadomo¶ci news:Xns9C43571C62FDAlemairemathiasfreefr@194.158.96.17...

First - its strange You have ingress as disabled; Manual says that as default You should have both directions, but maybe due to your ios version You should specify explicit "in" and "out" in span session configuration.

However in newest IOS on WS-c3560-ps48 it works with config like below.

You should check configuration of _destination_ port - it should be "vanilla" :)

Another hint is encapsulation. I assume You use vlans (802.1q) - if so - You should also have encapsulation replication enabled, else You must set your destination port to vlan which You try to observe.

Here below is _working_ config:

interface FastEthernet0/43 switchport access vlan 123 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet0/4 ! monitor session 1 source interface Fa0/43 monitor session 1 destination interface Gi0/4 encapsulation replicate

best regards Przemek

Reply to
PrzemekD

TY Will try as soon as possible.

Yet I thought that monitoring session permit to catch all trafic, with or without vlan...

Reply to
mathias

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.