Hi All, I want to track whole traffic going toward gateway from rack side. Three vlans are allowed on uplink side. Please see the scenario and suggest me which is best place to catch the traffic ? Thanks, Mani asked 24 Jul '17, 22:38  Manisha showing 5 of 9 show 4 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Capture both uplinks at the same time!?
sitting in any Vlan will capture whole traffic going in and out ?
Well to do this you have use a tap. Or you have to define your mirror port properly. But it is possible.
I suggest you should read allparts if this short series https://blog.packet-foo.com/2016/10/the-network-capture-playbook-part-1-ethernet-basics/
Thank you Christian, i will go through the blog link and ask you further help!
Christian i read your blog and its really wonderful.
I feel SPAN is good option for me, as well as Nexus support local tcpdump option also.
I have never tried SPAN, just quick question does my wireshark sit on SPAN interface?
That's your choice where you connect the capturing machine. On most switches you can make any port an output for mirrored traffic. But on most switches capable of mirroring traffic, if you make a port an output of mirrored traffic, you cannot use it as a regular port any more, i.e. you cannot connect a computer to the network using such port. So dedicating one network card (or even two if summary traffic on both directions of the mirrored interface exceeds the bandwidth of the capturing interface) for capturing alone, and using another card for network access, is necessary if you need to control the capturing machine remotely.
Hi Experts,
i tried to configure SPAN on Nexus 9k. Nexus has 10G port and the destination device (my laptop has wireshark) is connecting with 1G port.
I configured this on destination port:
and destination device has IP from one vlan. but i couldn’t go out of this trunk port.
Is there any configuration problem ?
Even i tried with access port. but nothing worked….please help!
I see you also asked about the configuration at the Cisco Support Community, which is a good idea since we’re not all Cisco experts: https://supportforums.cisco.com/discussion/13343226/span-nexus-not-working
My guess is that you forgot to specify RX/TX/both, telling the SPAN session which traffic you want (I usually use “both”) to get everything, but for VLAN spanning RX or TX may be enough to avoid duplicates. I usually do this on the “source” command for the monitor session, but it also seems to be available for the “monitor session” command.
See page 8&9 of http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide_7x_chapter_010000.pdf
On a side node - you’re talking about powerful hardware with 10G links and capturing with a 1G laptop. I don’t know how much traffic your setup has going, but if it exceeds 1G in total bandwidth your laptop will not be able to capture everything theoretically. In the real words, laptops will usually start dropping packets at 300MBps in my experience, so you may need to look for better capture hardware if your Server installation is really busy.