Ethereal-users: Re: [Ethereal-users] Using Ethereal with Cisco SPAN

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 7 Oct 2002 15:09:06 -0700
On Fri, Sep 20, 2002 at 10:02:29AM -0600, Rudd Gates wrote:
> I have been trying to capture SPAN forwarded traffic with Ethereal to no
> avail (I actually see LESS traffic when I am capturing on a SPAN
> destination port than when I am just watching normal broadcasts, etc.,
> in operational mode on a Catalyst 2950).  I am quite certain that I have
> configured the switch appropriately, but I am completely new to Ethereal

There's nothing specific to Ethereal about this.  The same issues would
show up with tcpdump, or Network Associates' Sniffer, or....

> and haven't seen any documentation relating to this subject.

There's no Ethereal documentation on configuring switches for
port-mirroring - it might be useful, just as the existing
non-Ethereal-specific information in the FAQ on switched networks would
- but nobody's written anything about that yet (I couldn't write it, as
I've never configured a switch in my life).

I'd suggest asking the Cisco people about it.  (Perhaps some of the
Cisco people on the list can make a suggestion).  See also pages such as

	http://www.cisco.com/warp/public/473/41.html

(found with a Google search for

	cisco span port

).

Note, though, that if the switch is really busy, there might be more
traffic flowing through the switch than can be sent out the mirrored
port, so you wouldn't see all the traffic on the switch.