Wireshark-users: Re: [Wireshark-users] Beginner Quick Setup Question

From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 19:10:44 -0400
Depends on the switches - as long as they are RSPAN capable and not
limited by bugs then yes - setup RSPAN on 7 with the last one receiving
and spanning everything to your Wireshark node.  I believe you need a
2950 or better for RSPAN (except don't believe 3500XLs do RSPAN).  Also,
if you have RSPAN crossing multiple 2950s I believe there are some known
issues.  Search Cisco for RSPAN and review the release notes/doco for
your particular switches and IOS/CatOS version.

The following may help:
General Cisco Doco:  www.cisco.com/go/documentation
Good SPAN/RSPAN Overview:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note
09186a008015c612.shtml
Good VACL Capture Overview:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/rspan_wp.p
df

Just make sure you don't oversubscribe the switch port doing the
spanning or the interface or Wireshark - watch for interface errors on
the computer and the spanning switch.

If you have a 6500 then you might also want to check out VACL based
captures which are more flexible than (R)SPAN (see above link) -
especially since you are limited to a few SPAN sessions but can have
dozens or VACL based captures.  Note though that this only applies to
the 6500 - as far as I know it doesn't work on any other platforms, not
even a 4500.

--Jim

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Peter Parady
> Sent: Friday, July 13, 2007 1:38 PM
> To: 'Community support list for Wireshark'
> Subject: [Wireshark-users] Beginner Quick Setup Question
> Importance: High
> 
> I have 8 Cisco Switches and a Cisco Router in the LAN I want to
monitor,
> all nodes on the LAN connect directly to a switch. It looks as if I
need
> to configure SPAN on the Switch my Wireshark machine connects to and
RSPAN
> on all the other switches, or is there a better way to handle this?
> 
> Thanks in Advance.
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users