This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture all traffic on cisco switch

0

i wanna capture all traffic in my network as i have 50 cisco 2960 switch and i need to optimize my network for the best performance

asked 06 Aug '16, 12:35

Mohamed%20Adel's gravatar image

Mohamed Adel
6112
accept rate: 0%


One Answer:

0

That's not the way to do it. If you have so much traffic that you need to optimize the network for performance, the tools needed to capture all of that traffic would me more expensive than the network.

You have

  • traffic counters on the switch ports, so you can see which devices generate the most traffic and in which direction.

  • the knowledge of the current physical topology - where your client stations, storage servers, printers, and gateway routers to internet and eventually other networks are connected, and how your switches are connected to each other.

  • the knowledge about logical data flows - whether the clients mostly download data from the internet, or load data from the file servers, process them and send a similar volume of data back, or mostly generate HD video streams to be recorded on the file servers...

This is the input information you need to optimize the network. Wireshark running at the client stations (or monitoring them using SPAN one by one) can help you confirm your theoretical assumptions about logical data flows.

The rules for LAN are:

  • interconnections between switches should be kept at minimum, so elements sending high volumes of data to each other should be connected to the same switch and there should never be more than two switches on a path between any two devices

  • unavoidable interconnections between switches must have as much as available capacity - use the "port channel" feature to aggregate several physical links into a logical one. Doing so also provides redundancy against failure of a single port or cable.

To answer your question technically, to safely capture all traffic on a single full-duplex port of any given bit rate, you need two ports of the same bit rate on the capturing machine, each capturing one direction at the monitored port, and a disk with enough speed and capacity to store the data. To monitor a closed group of ports on a single switch (closed in terms that the member ports of the group only send traffic to each other), it is enough to have as many monitoring ports as the traffic ports in the group (as it is enough to monitor either Tx or Rx direction of each of the ports) So if you would want to monitor using SPAN on a Cisco switch, you would have to dedicate half of the ports to traffic and the other half to monitoring, which a) a 2960 doesn't permit and b) may not be possible as you don't have enough free ports to make them monitoring ones.

answered 07 Aug '16, 00:48

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 07 Aug '16, 00:50