Simone Chemelli <Simone.Chemelli@xxxxxxxxx> wrote:
I need to sniff a whole switched network.
A couple of points in addition to what has already been posted...
1. Be aware that when using RSPAN or SPAN - if the destination port (or
in the case of RSPAN, the uplink to the destination switch) can't keep
up with the packets being copied to it, any additional packets will be
dropped, and ethereal will never see them. For example, if you SPAN an
entire VLAN with 10 100mbps ports onto a single 100mbps port, and there
is more than 100mbps of traffic concurrently seen on those 10 ports,
you won't see everything on the SPAN port.
2. If this is a once-off or temporary arrangement, and the number of
devices is fairly small, then it may be possible to replace the switch
with a hub (yeah, you can get 100mbps hubs.. probably not 1000mbps ones
though) - that way, the transmitting devices will be forced to
retransmit due to a collision if the hub is occupied with another
packet, and you'll stand a much better chance of seeing all packets this
way.
--
Ian Batterbee, CCNP
Senior Network/Comms Technician
Auckland University of Technology