How can I capture traffic on Cisco IOS switches?

  • For investigating a problem in client to server communication, I need to capture packets for analysis. However it's not allowed to install a packet analyzer, such as Wireshark or tcpdump, on client or server. They client is connected to a Catalyst 3560 and the server to a Catalyst 3750 switch.

    Can I plugin my laptop to a switchport for capturing traffic with my laptop's packet analyzer, and how?

    @BenjaminA. Great! Thanks for the solution for Brocade and adding the link here!

    Is there a configuration on the session that would allow the capturing pc/server to still optain IP from DHCP?

    Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.

    Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer.

  • Stefan

    Stefan Correct answer

    8 years ago

    The client switchport or the server switchport can be monitored. A third switchport can be configured as a mirror port. This means that this mirror port will receive copies of all packets on the corresponding original port, while the original traffic won't be affected.

    For example, on the Catalyst 3560:

    1. Enter configuration mode:

      conf t
    2. Define the source and set the session number:

      monitor session 1 source interface fa 0/24

      Here, the session number can be from 1 to 66, you could also specify a VLAN or an ethernet channel. Also, interface ranges such as fa 0/25 - 26 are possible, and interface list, such as fa 0/24,fa 0/26, if you would like to monitor several clients at the same time. Also by repeating the command you can add ports, or remove using no. Mixing ports and VLANs is not possible in the same session, another restriction is that you cannot use a destination port as a source port.

    3. Define the destination port:

      monitor session 1 destination interface gi 0/1

      You can use a normal port, but not a VLAN. Similarly to above, a destination port cannot be a source port: a port used here can either be a source or a destination port, and only of one session. Again, you can specify multiple ports like above.

    4. You may want to exit configiration mode and save the config.

    5. You may have a look at your defined session - here multiple ports, tried like above:

      #show monitor session 1
      Session 1
      Type                   : Local Session
      Source Ports           :
          Both               : Fa0/24,Fa0/25-26
      Destination Ports      : Fa0/48,Gi0/1
          Encapsulation      : Native
                Ingress      : Disabled

      You can see an encapsulation here - optionally you can set it to replicate for replicating the source interface encapsulation method, such as by adding encapsulation replicate after the source interface. Furthermore, you can specify a direction (tx, rx, both), filter VLANs and more. The Ingress: Disabled line means that the switch will not accept any frames presented to it by your capture device on a destination port. For such finer details and for further restrictions and default settings have a look at the command reference of the IOS version of your switch.

    Once you configured source and destination port, you can capture the traffic using your laptop connected to the destination port, for example with Wireshark.

    The number of source sessions can be limited, for example the 3560 supports a maximum of 2.

    After the capturing, don't forget to remove this session configuration.

    You could leave the monitor session in place and just disable the link on your host monitor's NIC. Packets won't be captured and sent down a link that is down. On a Windows server, I have dual NICs with one called SPAN. When I don't want the switch to do the capture overhead, I just go into network properties and disabled the SPAN NIC. (Usually, the source ports are changed, but the destination port stays the same, so I know I'm going to mirror again to the same destination host in the future.)

    To disable a monitor session use `# no monitor session 1`

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM