This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture port-mirrored(SPAN) traffic on a VM where interface is bridged with tap interface on host

0

First of all, sorry about bit clunky title. Tried to make it as informational as possible.

I have a following topology in GNS3:

http://i.imgur.com/OYk7PLR.png

"SW" is a Cisco 3640 router with NM-16ESW 16-port 10/100 EtherSwitch Network Module. Port Fa0/0 of "SW" is an access port in VLAN 5. I have mirrored both Rx and Tx traffic of port Fa0/0 to port Fa0/10:

SW#sh run | i monit
monitor session 1 source interface Fa0/0
monitor session 1 destination interface Fa0/10
SW#sh monitor session 1
Session 1
---------
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/0
Source VLANs:
    RX Only:       None
    TX Only:       None
    Both:          None
Destination Ports: Fa0/10
Filter VLANs:      None

SW#

There is a Debian VM running Wireshark 1.2.11 listening on eth2 interface which is bridged with tap0 interface in Virtualbox configuration. VM eth2 interface is connected to port Fa0/10. Now if I telnet to “router” from “R1”:

R1#ping 10.10.10.2

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms R1#telnet 10.10.10.2 Trying 10.10.10.2 … Open

router>exit

[Connection to 10.10.10.2 closed by foreign host] R1#

..I expect to see ARP, ICMP and IP traffic in Wireshark output. However, I capture only SPT and CDP traffic:

http://i.imgur.com/DqcerQ8.png

Any ideas what might cause this?

asked 18 Feb ‘13, 15:13

mrtn's gravatar image

mrtn
11669
accept rate: 0%


One Answer:

0

within GNS3 you can capture traffic directly on the network connections (If Wireshark is installed on your GNS3 'host'). To figure out if the SPAN port works, capture traffic on Fa0/10 in GNS3. Select the connection, then right click and choose "capture". See here: http://www.youtube.com/watch?v=4JMPia7jW2U

  • If you see the mirrored traffic on Fa0/10, you might have a problem with Virtualbox or the NIO connection to the Switch.

  • If you don't see the mirrored traffic on Fa0/10, there might be a problem with the SPAN feature of your switch module (firmware related) or with GNS3 itself !?!

Regards
Kurt

answered 19 Feb '13, 08:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Feb '13, 08:31