Wireshark-users: Re: [Wireshark-users] Can Wireshark differentiate between multiple Cisco SPAN so

From: "Dana J. Dawson" <dana.dawson@xxxxxxxxxxxxxxx>
Date: Mon, 9 Sep 2013 14:07:10 -0500
One option might be to get the MAC forwarding table entries for the 4 ports in question and identify the unique MAC addresses out each of the 4 ports.  Multicast/broadcast traffic could still be problematic, but maybe that's not an issue.  If your topology is pretty stable then this list should also be pretty stable.  If there's just a single server/host per port this would probably work pretty well, but if there are lots of them this could get ugly fast, though you might be able to cobble together a script of some sort that would call tshark on your capture file for the different MAC addresses out each port and split the file that way.

HTH

Dana
---
Dana J. Dawson
Principal CPE Engineer, CCIE #1937 (R&S)
CenturyLink, CPE-CTAC

> Hi Marty,
> 
> I don't see a way to do this.
> 
> I suppose if the four ports belonged to four different VLANs, and you 
> found a way to preserve VLAN tags across the SPAN function, then you 
> could split the four streams apart using Wireshark.
> 
> If the SPAN function inserted some sort of tag into each frame as it 
> went past, a tag which identified the source port, then Wireshark would 
> have something to chew on.  But the SPAN function doesn't do this -- it 
> doesn't modify traffic as it performs is 'xeroxing' function.
> 
> So, all those frames will reach the SPAN function without any source 
> identifier ... the Nexus will transmit them out the SPAN port ... they 
> will arrive at Wireshark ... and Wireshark thus will have no way to 
> distinguish which frame came from where.
> 
> With these resources, I don't see a way to solve this problem.
> 
> Best,
> 
> --sk
> 
> Stuart Kendrick
> FHCRC
> 
> On 9/5/2013 10:48 AM, Marty.Gramlick@xxxxxxxxxxxxxxx wrote:
>> I'm running a SPAN on a Cisco Nexus FEX 2248.  The 4 ports I want to look at are on the same VLAN and the same FEX switch.  Due to limitations with the Cisco hardware, they must all be part of the same monitor session.  In other words I was hoping to SPAN each one individually, but in order to look at all of them they need to be in the same monitor session therefore they are going to 1 NIC on the Wireshark server.  Is there anything embedded or anyway for Wireshark to resplit the traffic back into 4 separate traffic streams?
>> 
>> Thanks,
>> MARTY GRAMLICK
>> Senior Network Engineer, Specialist
>> The University of Chicago Medicine
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe