This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture all workstation traffic on cisco switch with RSPAN

0

I have setup a remote RSPAN session to monitor all traffic to and from a specific workstations

I created a RSPAN vlan 100 and configured both ports:

on the source switch

*monitor session 1 source interface Gix/y/z both

monitor session 1 destination remote vlan 100*

On the destination switch

*monitor session 1 destination interface Gia/b/c

monitor session 1 source remote vlan 100*

I had expected that all traffic coming from and going to the workstation connected to the source interface would be copied to the destination interface.

In reality it looks like all traffic from the VLAN to which the source port belongs is captured, so including the traffic between other nodes not designated for the workstation on the source port.

So it looks more like a monitor VLAN instead of monitoring Port.

I'm sure the traffic on the destination is not coming from an other source because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface.

How do I setup RSPAN to capture only the packets which are send to/from the workstation connected to the source port I know I can set up a capture filter in wireshark, but that is not what I want.

asked 03 Mar '17, 01:49

Jacques%20Schenk's gravatar image

Jacques Schenk
6113
accept rate: 0%

edited 03 Mar '17, 01:51

These seems more like a question for the switch vendor rather than Wireshark.

(03 Mar '17, 03:55) grahamb ♦

Can you include the output of:

show vlan remote-span
(03 Mar '17, 07:13) naskop
Can you include the output of: show vlan remote-span

Yes no problem, nothing special I can see there

#sho vlan remote-span
Remote SPAN VLANs
--------------------------------------------
100
#

What did you expect (not) to see ?

Jacques

(07 Mar '17, 00:06) Jacques Schenk

These seems more like a question for the switch vendor rather than Wireshark.

I also posted this question in the Cisco support forum, from the comments posted there I can only conclude that the setup is ok as it is, so I now hope to learn from the experienced people actually capturing and analyzing.

Jacques

(07 Mar '17, 00:09) Jacques Schenk

It looks like you've setup you RSPAN correctly. The other question is are you seeing all VLAN traffic or just broadcast/multicast traffic from other devices on that same vlan in addition to the client's traffic you're interested in?

(07 Mar '17, 11:13) naskop

I see unicast traffic from other workstations to a server (http-TCP) for example. So it is a bit of a mystery to me why I see it ... Jacques

(07 Mar '17, 11:40) Jacques Schenk

A couple of notes:

  1. Not sure what hardware you have - did you look in the Cisco bug database? Perhaps it is a known issue. rspan works as expected here in my Cisco infrastructure, and I only ever use it as you intend - from a single source interface. However, vlan tags are not carried through so I prefer local span when it is available, especially if I need to analyze trunk ports.
  2. Is your source port a trunk port? I believe by default that monitors all vlans on that trunk.
  3. Could there be another switch in the infrastructure that is actually putting that whole vlan on the rspan? You are managing a single interface on a specific device, but is there any way that a different device that is part of the network could have the whole vlan sent to rspan, perhaps as left over from a previous debug session? Of course if you only have two switches, then this is not likely the scenario. EDIT: you addressed this in your original post so is not likely the issue.
  4. You may see the occasional unicast packet(s) that you should not in a layer 2 network due to switch forwarding table flushing/learning cycles. As you probably know, unicast is handled as broadcast until learning takes place. I assume you see more than a single packet or two in the unicast stream?
(08 Mar '17, 03:09) Bob Jones

@Jacques Schenk

Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(08 Mar '17, 03:27) grahamb ♦
showing 5 of 8 show 3 more comments