This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was trying to capture traffci by port spanning on Cisco WS-C3750-48P. Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)

I can see UDP, ICMP, ARP, DHCP and microsoft stuff.However, I did not see any TCP packets captured, not even TCP SYN/ACK. Is it CIsco port SPAN problem?/IOS Version/ or Wireshark problem? Any ideas? BTW, I'm using promiscurous mode. The wireshark can see the tcp traffic when sniffing the PC interface it's running on.

appreciate it.

asked 25 Nov '11, 07:50

Buddy's gravatar image

Buddy
1112
accept rate: 0%

edited 25 Nov '11, 07:52


You could verify if all the frames you see are broadcast/multicast frames (from the range of protocols you mentioned I guess they are). If you're sure that the device you want to span is actually using TCP and you do not see it in the SPAN session you probably got the SPAN session wrong. Monitoring the wrong port is by far the most common mistake when setting up SPAN ports in my experience.

On the other hand you might have a VLAN tagging problem. If the TCP packets are VLAN-tagged your PC Interface might drop them if the card doesn't like them, and so you will not see them in Wireshark either. Try a different card if you think the SPAN port is correct and you should receive packets; I usually go for Realtek cards - they do not exactly have a good reputation but they usually capture anything, not knowing friend or foe.

permanent link

answered 27 Nov '11, 05:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×205
×69
×8

question asked: 25 Nov '11, 07:50

question was seen: 6,064 times

last updated: 28 Nov '11, 15:21

p​o​w​e​r​e​d by O​S​Q​A