The client switchport or the server switchport can be monitored. A third switchport can be configured as a mirror port. This means that this mirror port will receive copies of all packets on the corresponding original port, while the original traffic won’t be affected.
For example, on the Catalyst 3560:
- Enter configuration mode:
conf t
- Define the source and set the session number:
monitor session 1 source interface fa 0/24
Here, the session number can be from 1 to 66, you could also specify a VLAN or an ethernet channel. Also, interface ranges such as
fa 0/25 - 26
are possible, and interface list, such asfa 0/24,fa 0/26
, if you would like to monitor several clients at the same time. Also by repeating the command you can add ports, or remove usingno
. Mixing ports and VLANs is not possible in the same session, another restriction is that you cannot use a destination port as a source port. - Define the destination port:
monitor session 1 destination interface gi 0/1
You can use a normal port, but not a VLAN. Similarly to above, a destination port cannot be a source port: a port used here can either be a source or a destination port, and only of one session. Again, you can specify multiple ports like above.
- You may want to
exit
configiration mode and save the config. - You may have a look at your defined session – here multiple ports, tried like above:
#show monitor session 1 Session 1 --------- Type : Local Session Source Ports : Both : Fa0/24,Fa0/25-26 Destination Ports : Fa0/48,Gi0/1 Encapsulation : Native Ingress : Disabled
You can see an encapsulation here – optionally you can set it to
replicate
for replicating the source interface encapsulation method, such as by addingencapsulation replicate
after the source interface. Furthermore, you can specify a direction (tx
,rx
,both
), filter VLANs and more. TheIngress: Disabled
line means that the switch will not accept any frames presented to it by your capture device on a destination port. For such finer details and for further restrictions and default settings have a look at the command reference of the IOS version of your switch.
Once you configured source and destination port, you can capture the traffic using your laptop connected to the destination port, for example with Wireshark.
The number of source sessions can be limited, for example the 3560 supports a maximum of 2.
After the capturing, don’t forget to remove this session configuration.
Leave A Comment?
You must be logged in to post a comment.