I have setup a remote RSPAN session to monitor all traffic to and from a specific workstations I created a RSPAN vlan 100 and configured both ports: on the source switch *monitor session 1 source interface Gix/y/z both monitor session 1 destination remote vlan 100* On the destination switch *monitor session 1 destination interface Gia/b/c monitor session 1 source remote vlan 100* I had expected that all traffic coming from and going to the workstation connected to the source interface would be copied to the destination interface. In reality it looks like all traffic from the VLAN to which the source port belongs is captured, so including the traffic between other nodes not designated for the workstation on the source port. So it looks more like a monitor VLAN instead of monitoring Port. I'm sure the traffic on the destination is not coming from an other source because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface. How do I setup RSPAN to capture only the packets which are send to/from the workstation connected to the source port I know I can set up a capture filter in wireshark, but that is not what I want. asked 03 Mar '17, 01:49 Jacques Schenk edited 03 Mar '17, 01:51 showing 5 of 8 show 3 more comments |
These seems more like a question for the switch vendor rather than Wireshark.
Can you include the output of:
Yes no problem, nothing special I can see there
What did you expect (not) to see ?
Jacques
These seems more like a question for the switch vendor rather than Wireshark.
I also posted this question in the Cisco support forum, from the comments posted there I can only conclude that the setup is ok as it is, so I now hope to learn from the experienced people actually capturing and analyzing.
Jacques
It looks like you've setup you RSPAN correctly. The other question is are you seeing all VLAN traffic or just broadcast/multicast traffic from other devices on that same vlan in addition to the client's traffic you're interested in?
I see unicast traffic from other workstations to a server (http-TCP) for example. So it is a bit of a mystery to me why I see it ... Jacques
A couple of notes:
@Jacques Schenk
Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.