["Stewart, Damien" <damien.r.stewart@xxxxxxxxxxxxxxx>]

Hi Joe,

Yes, both directions are implied in the command by default with the latest
version of IOS. I am monitoring the SPANed port using Ethereal and ping from
another workstation to yet another workstation. My Ethereal box is
effectively in the middle.

Damien Stewart

> -----Original Message-----
> From: Joe Elliott [mailto:joe@xxxxxxxxx] 
> Sent: Monday, 24 October 2005 10:50 AM
> To: Ethereal user support
> Subject: RE: [Ethereal-users] Ping packet sizes
> 
> Hello Damien,
> 	When I see errors like this I first ensure that the 
> SPAN configuration is correct, ie you have the keywork 'both' 
> in the IOS command. Its important that when you mirror a port 
> to get inbound and outbound streams forwarded.
> 
> Of course when you mirror/SPAN VLANs you run into  
> double/triple counting or worse.
> 
> Ethereal only tells you what it sees.
> 
> Run:
> 
> # tcpdump host <serverIP> ip proto \icmp
> 
> on the monitoring host and then ping the server your 
> monitoring from another PC with a count of 1. You should  
> only see the echo request/reply once (2 packets). If you see 
> anything else, you have a SPAN configuration issue.
> 
> I use this test at every customer site to ensure my setup and 
> it always finds the problem.
> 
> Hope this helps .. Joe.
> 
> -- 
>                                           __o       _~o       __o
>            "Know your Network"           `\<,      `\<,      `\<,
>  
> ______________________________________(*)/_(*)__(*)/_(*)__(*)/
> _(*)________
>  Im a 21st Century Digital Boy ... I aint got a life, but I 
> got lotsa toys.
>  *************** Joe Elliott  joe@xxxxxxxxx  AOL:xqos  
> ********************
>  -   NetContExt  - sniffer trace forensics - tcp follow 
> stream analysis   - 
>  -  Extract data files and Images from tcpdump & ethereal 
> packet payloads -
>         Inetd.Com Network analysis solutions http://www.inetd.com
>  
> --------------------------------------------------------------
> ------------
> 
> 
> On Mon, 24 Oct 2005, Stewart, Damien wrote:
> 
> > Date: Mon, 24 Oct 2005 10:30:43 +1000
> > From: "Stewart, Damien" <damien.r.stewart@xxxxxxxxxxxxxxx>
> > Reply-To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> > To: 'Ethereal user support' <ethereal-users@xxxxxxxxxxxx>
> > Subject: RE: [Ethereal-users] Ping packet sizes
> > 
> > Hi there,
> > 
> > Yes I am aware that Ethereal can't see all of the packet when it's 
> > running on a machine the packet is generated from. However, in this 
> > particular case, when I noticed the discrepancy between 
> ping request 
> > and ping replies, Ethereal was monitoring a SPAN session on a Cisco 
> > router. To my understanding, the router copies data from 
> one specified 
> > port to another. In short, this is like plugging an 
> Ethereal box into 
> > an unswitched hub, correct?
> > 
> > So I still can't account for the missing bytes on the request. Are 
> > there any known issues with SPAN sessions altering packets, that is 
> > knocking off the odd byte here and there?
> > 
> > It's a minor issue, but it would be nice to know exactly in what 
> > situations Ethereal will correctly report packet sizes
> > 
> > Regards,
> > 
> > Damien.
> > 


DISCLAIMER:-----------------------------------------------------------------------------------------------
This Email may contain confidential and/or privileged information and is intended 
solely for the addressee(s) named. If you have received this information in error, or
are advised that you have been posted this Email by accident, please notify the 
sender by return Email, do not redistribute it, delete the Email and keep no copies.
----------------------------------------------------------------------------------------------------------------------