This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a CISCO 6509E switch/router and I would like to capture ALL the traffic that is passing through it. This is a very common switch/router. It is dedicated and acting like a load balancer to three Apache web servers. The traffic is not terribly heavy. I could mirror the three switch ports which feed off the 6509E and set up wireshark on each. Are there monitoring ports on the 6509E which would allow me plug in WireShark and see everything? I should probably be asking this question to CISCO. I guess my general question is, is there a way to set up WireShark to capture all of the Unicast, Multicast and Broadcast traffic for all ports on a switch or a router?

asked 17 Nov '13, 10:33

Zoberist's gravatar image

Zoberist
0778
accept rate: 0%


Sure, the 6500 series can do mirror/monitor/SPAN ports. If you configure all ports that have devices on them to be mirrored to a single output port and hook up a Wireshark PC to that port you could theoretically capture all the traffic. Theoretically, because the output port has a certain maximum bandwidth (1G or 10G maybe), and if the monitored ports send more than that to the output port it will not forward all of it to the Wireshark PC.

You should take a look at the "monitor session" command, like on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

permanent link

answered 17 Nov '13, 11:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Outstanding, thank you very much especially for the URL. I am reading the document now.

(17 Nov '13, 17:20) Zoberist
1

Note that the page in question, and other pages discussing mirror/monitor/SPAN/etc. capabilities on various switches, can be found on the per-vendor pages under the SwitchReference page on the Wireshark Wiki.

(17 Nov '13, 18:21) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×115
×43
×1

question asked: 17 Nov '13, 10:33

question was seen: 8,934 times

last updated: 17 Nov '13, 18:21

p​o​w​e​r​e​d by O​S​Q​A