Ethereal-users: RE: [Ethereal-users] mirrored/monitored/SPAN'd port not working

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mike Kelley <MikeK@xxxxxxxxx>
Date: Thu, 25 Sep 2003 10:34:06 -0600
Turns out my problem was related to a bug in the cisco IOS version. We
upgraded the IOS on the switch and I can now see traffic other than
broadcast traffic.

The bug was on IOS 12.0(5.2)XU
And we upgraded to IOS 12.0(5)WC8 
On a 3500XL series switch

Tested the capture this morning and was able to see my traffic from my
desktop on my laptop which were plugged into the different ports

Mike


-----Original Message-----
From: Mike Kelley [mailto:MikeK@xxxxxxxxx] 
Sent: Wednesday, September 17, 2003 11:56 AM
To: 'ethereal-users@xxxxxxxxxxxx'
Subject: RE: [Ethereal-users] mirrored/monitored/SPAN'd port not working

Cisco has me using the following commands to create the SPAN on these ports

switch(config)#int Fa0/8
switch(config-if)#switchport access vlan 11
switch(config-if)#port monitor Fa0/3

Still working on it because I have yet to really capture any TCP packets
from Fa0/8


I'm wondering if I'm getting things started correctly under the Linux side
... To make sure the interface is active on the laptop that is running
ethereal I plug in an active ethernet cable when starting the latop ... Once
the laptop is up and running I unplug the regular cable and plug in the
cable that goes into the SPANed port

Could this be part of the problem?



Mike 


-----Original Message-----
From: Mike Kelley [mailto:MikeK@xxxxxxxxx] 
Sent: Monday, September 15, 2003 4:27 PM
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: RE: [Ethereal-users] mirrored/monitored/SPAN'd port not working

I've re-scanned that document our router is a 3500 series so I see the
features are limited on that router. I can not find anything referring to
TRUNKS under the 3500 series ... I tried adding the "PORT MONITOR VLAN 11"
to my monitoring port with no luck

Mike 


-----Original Message-----
From: Aaron Hite [mailto:ahite@xxxxxxxxxxxx] 
Sent: Monday, September 15, 2003 2:39 PM
To: BRAndon@xxxxxxxx; MikeK@xxxxxxxxx
Cc: ethereal-users@xxxxxxxxxxxx
Subject: FW: [Ethereal-users] mirrored/monitored/SPAN'd port not working

The problem is that you are trying to mirror a trunked port.

Try reading
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note
09186a008015c612.shtml

Aaron

-----Original Message-----
From: Brandon Applegate [mailto:brandon@xxxxxxxx] 
Sent: Friday, September 12, 2003 9:07 AM
To: Mike Kelley
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: RE: [Ethereal-users] mirrored/monitored/SPAN'd port not working


Hmm, do the interface stats on the switch side for f0/8 reflect f0/3 ?

Also, have you tried tcpdump or any other machines to sniff with ?  I.e.

it looks like you have everything set up correctly.

And not that I'm saying it should/would cause this, but I see eth0 and 
eth1 are in the same subnet, is this intended ? (is there a reason you 
can't use eth0:0 to run the IP that is on eth1) ?

On Thu, 11 Sep 2003, Mike Kelley wrote:

> This is what I get from "dmesg | grep promisc" & "ifconfig -a"  eth0
> is the one currently plugged into a hub with the target but it is also

> the interface I have used plugged into the FE 0/8 that is monitoring 
> FE 0/3
> 
> 
> <SNIP>
> !
> interface FastEthernet0/3
>  switchport trunk encapsulation dot1q
>  switchport trunk native vlan 11
>  switchport mode trunk
>  switchport voice vlan 111
> !
> <SNIP>
> !
> interface FastEthernet0/8
>  port monitor FastEthernet0/3
> !
> <SNIP>
> 
> Las_Cruces3524_1#sh port monitor
> Monitor Port           Port Being Monitored
> ---------------------  ---------------------
> FastEthernet0/8        FastEthernet0/3
> 
> <SNIP>
> 
> 
> 
> [spike@localhost spike]$ dmesg | grep promisc
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> eth0: Setting promiscuous mode.
> eth0: Setting promiscuous mode.
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> eth0: Setting promiscuous mode.
> eth0: Setting promiscuous mode.
> eth0: Setting promiscuous mode.
> eth0: Setting promiscuous mode.
> device eth0 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> device eth1 entered promiscuous mode
> device eth1 left promiscuous mode
> eth0: Setting promiscuous mode.
> device eth0 entered promiscuous mode
> device eth0 left promiscuous mode
> [spike@localhost spike]$ /sbin/ifconfig -a
> cipsec0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
>           BROADCAST MULTICAST  MTU:1400  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>  
> eth0      Link encap:Ethernet  HWaddr 00:08:74:
>           inet addr:192.168.11.73  Bcast:192.168.11.255 
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:576557 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:43357674 (41.3 Mb)  TX bytes:7734 (7.5 Kb)
>           Interrupt:11 Base address:0xec80
>  
> eth1      Link encap:Ethernet  HWaddr 00:40:05:
>           inet addr:192.168.11.81  Bcast:192.168.11.255 
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:333129 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:124925 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:31761378 (30.2 Mb)  TX bytes:12228323 (11.6 Mb)
>           Interrupt:11 Base address:0xb000
>  
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:565755 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:565755 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:38652246 (36.8 Mb)  TX bytes:38652246 (36.8 Mb)
>  
> [spike@localhost spike]$ /sbin/ifconfig eth0 -promisc
> SIOCSIFFLAGS: Permission denied
> [spike@localhost spike]$ su
> Password:
> [root@localhost spike]# /sbin/ifconfig eth0 promisc [root@localhost
> spike]# /sbin/ifconfig eth1 promisc [root@localhost spike]# 
> /sbin/ifconfig -a
> cipsec0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
>           BROADCAST MULTICAST  MTU:1400  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>  
> eth0      Link encap:Ethernet  HWaddr 00:08:74:
>           inet addr:192.168.11.73  Bcast:192.168.11.255 
> Mask:255.255.255.0
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:577043 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:43394448 (41.3 Mb)  TX bytes:7734 (7.5 Kb)
>           Interrupt:11 Base address:0xec80
> 
> 

-- 
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users