Port Sniffing Port Mirroring with SPAN
Download Etherreal or Wireshark or any packet sniffer. Best to have two nic cards one card for internet access and one card for sniffing on your switchies. When you sniff and span your switch to another port, you will not have any access any more. Port mirroring shuts down your port and reserves it only for listening.
Page 1
Switches make network troubleshooting a bit more difficult because not all traffic is sent to every port like in an older network hub. Switching traffic improves speed because bandwidth is reserved only for connections on that port and security is generally better because it takes more than a simple freeware network sniffer like Wireshark to snoop traffic on that segment.
To work around this for troubleshooting and analysis, either a network hardware mirror, most often called a tap, or a mirror (sometimes called a span) on the switch is required. Most business-class switches have this feature. Cisco includes port mirror on all of its switches.
Configure a mirror on port 1 like this.
My_Switch(config)# monitor session 1 source interface Fa0/1 both
My_Switch(config)# monitor session 1 destination interface Fa0/10
The both option on the command tells the switch to send both transmit and receive packets to the destination port. Once a switchport is configured as a destination mirror port, the port will not accept traffic. A sniffer cannot transmit data, it can only listen.
Cisco Switches actually allow you create more than one mirror, although the number of allowed mirrors depends on the model of Cisco switch. To create a second mirror, just designate a second mirror session.
My_Switch(config)# monitor session 2 source interface Fa0/2 both
My_Switch(config)# monitor session 2 destination interface Fa0/11
Cisco’s syntax also allows you to specify multiple sources to a single port or a single source to multiple destinations. This is handy when setting up Intrusion Detection Systems that monitor the network.
My_Switch(config)# monitor session 2 source interface Fa0/2 both
My_Switch(config)# monitor session 2 destination interface Fa0/11
My_Switch(config)# monitor session 2 destination interface Fa0/12
PAGE 2
In some cases, looking at the traffic for just one port is not good enough or the number of mirrors needed exceeds the number of mirrors that the switch is capable of. In that case, Cisco switches allow you to create a vlan mirror that grabs traffic from the entire vlan or vlans and sends it to a destination port for monitoring.
My_Switch(config)# monitor session 1 source vlan 33 rx
My_Switch(config)# monitor session 1 destination interface Gi1/1
Specifying both in the source command would create duplicate packets as packets go in and out of the vlan, so only specify receive or transmit with the tx or rx
options. The both option would look like a network echo from a sniffer perspective.
The Show Monitor command summarizes all of the configured mirrors on the entire switch.
My_Switch>show monitor
Session 1
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/10
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None
Session 2
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/2
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/11
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None
Mirrors can be disabled two ways:
My_Switch(config)# no monitor session 1
This command will only remove session 1.
My_Switch(config)# no monitor
The no monitor command will remove all monitors on the switch.
June 17, 2009 at 9:22 pm
How is the client NIC configured? With no IP?
NWA
June 18, 2009 at 1:53 am
Hello NWA,
it is a switch. switches use L2 protocols like mac addresses. Why dont you download Etheral or Wireshark and try this setup on a pare of 2950s it works. Port spanning or port mirror is way cool man. You can even port sniff vlans.. try it . it is more fun playing and discovering than for me to give you the answer. It will stick better…These commands do work..have fun. 2950s on ebay are going for under 100.00 bucks each. You just have to look. The best equipment is using real stuff if you can..
January 17, 2010 at 11:52 am
Found your blog on Yahoo and was so glad i did. That was a warming read. I have a small question.Is it alright if i send you an email???…
March 5, 2010 at 3:31 am
send me emails i can help you with anything robert1 at itdaddy dot net
suresorry so late
March 14, 2010 at 4:02 pm
It’s the coolest web site, keep it up!
March 14, 2010 at 8:58 pm
thanks man working on a new one that will be way more professional and I am trying to make it
more fun and professional..cool man 😉
itdaddy
June 5, 2010 at 11:15 pm
Thanks itdaddy… I am going to try and setup the monitor for the vlan and not just the ports. I ran into a situation that i needed to monitor 2 ports on both rx and tx but with the 3550 it only will let you do both on one port. Do you have any other suggestions?
December 13, 2011 at 3:54 am
Computer Tips…
[…]Port Sniffing Port Mirroring with SPAN « Who’s Your ITDaddy? – CCNA Blog![…]…
December 14, 2011 at 3:08 am
Prepare for Battle…your boss could get fired someday and you were never prepared!
trust me I know this personally.
February 3, 2012 at 8:58 pm
Sniffing with a single NIC works fine, you just have to tell the destination port to accept packets from the sniffing computer. This is handy for remote monitoring where you need to remote into the sniffer and it has only one interface.
monitor session 1 destination port gi0/1 ingress untagged vlan 40
The “ingress” parameter tells the switch you are going to still use the destination port as a regular switch port, in addition to it being destination for copied frames. “untagged vlan 40” means if the client PC sends untagged frames, which it will, stick them in VLAN 40 in this example.
Certain combinations will lock up the switch so be careful. In particular, sniffing a trunk port using an access port as the destination does not seem to work very well.
August 29, 2012 at 5:05 am
hey i have a question . can we monitor ports configured with IRF
i.e H3C 3com switches
can we pass traffic through a stack of 8 switches
September 14, 2012 at 10:49 pm
everything can be monitored
September 15, 2012 at 5:59 am
Sorry to say but its not possible according to me as i have tried every thing possible
It is only possible if both the mirrored and monitored ports are on the same switch or in a totally different IRF domains
but in a single IRF domain where we have 8 switches its not possible
eg: my IRF domain contains 8 switches
mirrored port is on switch 1
monitored port is in switch 6
IF you have a solution please do reply because i m stuck very badly with this. AS i have to move both mirrored and monitored machines in same switch