This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Best Place to capture the packets with WS

0

alt text

Hi All,

I want to track whole traffic going toward gateway from rack side. Three vlans are allowed on uplink side.

Please see the scenario and suggest me which is best place to catch the traffic ?

Thanks, Mani

asked 24 Jul '17, 22:38

Manisha's gravatar image

Manisha
6112
accept rate: 0%

Capture both uplinks at the same time!?

(24 Jul '17, 22:57) Christian_R

sitting in any Vlan will capture whole traffic going in and out ?

(24 Jul '17, 22:59) Manisha
1

Well to do this you have use a tap. Or you have to define your mirror port properly. But it is possible.

(24 Jul '17, 23:23) Christian_R
(24 Jul '17, 23:30) Christian_R

Thank you Christian, i will go through the blog link and ask you further help!

(25 Jul '17, 02:51) Manisha

Christian i read your blog and its really wonderful.

I feel SPAN is good option for me, as well as Nexus support local tcpdump option also.

I have never tried SPAN, just quick question does my wireshark sit on SPAN interface?

(25 Jul '17, 09:04) Manisha

does my wireshark sit on SPAN interface?

That's your choice where you connect the capturing machine. On most switches you can make any port an output for mirrored traffic. But on most switches capable of mirroring traffic, if you make a port an output of mirrored traffic, you cannot use it as a regular port any more, i.e. you cannot connect a computer to the network using such port. So dedicating one network card (or even two if summary traffic on both directions of the mirrored interface exceeds the bandwidth of the capturing interface) for capturing alone, and using another card for network access, is necessary if you need to control the capturing machine remotely.

(25 Jul '17, 12:05) sindy

Hi Experts,

i tried to configure SPAN on Nexus 9k. Nexus has 10G port and the destination device (my laptop has wireshark) is connecting with 1G port.

I configured this on destination port:

interface Ethernet1/15
description Node - 15 - Nic
switchport
switchport mode trunk
switchport monitor
no shutdown

monitor session 1 source interface port-channel45 both destination interface Ethernet1/15 no shut

and destination device has IP from one vlan. but i couldn’t go out of this trunk port.

Is there any configuration problem ?

Even i tried with access port. but nothing worked….please help!

(28 Jul ‘17, 22:21) Manisha

I see you also asked about the configuration at the Cisco Support Community, which is a good idea since we’re not all Cisco experts: https://supportforums.cisco.com/discussion/13343226/span-nexus-not-working

My guess is that you forgot to specify RX/TX/both, telling the SPAN session which traffic you want (I usually use “both”) to get everything, but for VLAN spanning RX or TX may be enough to avoid duplicates. I usually do this on the “source” command for the monitor session, but it also seems to be available for the “monitor session” command.

See page 8&9 of http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide_7x_chapter_010000.pdf

On a side node - you’re talking about powerful hardware with 10G links and capturing with a 1G laptop. I don’t know how much traffic your setup has going, but if it exceeds 1G in total bandwidth your laptop will not be able to capture everything theoretically. In the real words, laptops will usually start dropping packets at 300MBps in my experience, so you may need to look for better capture hardware if your Server installation is really busy.

(29 Jul ‘17, 03:01) Jasper ♦♦
showing 5 of 9 show 4 more comments