How can I capture traffic on Cisco IOS switches

The client switchport or the server switchport can be monitored. A third switchport can be configured as a mirror port. This means that this mirror port will receive copies of all packets on the corresponding original port, while the original traffic won’t be affected.

For example, on the Catalyst 3560:

  1. Enter configuration mode:
    conf t
  2. Define the source and set the session number:
    monitor session 1 source interface fa 0/24

    Here, the session number can be from 1 to 66, you could also specify a VLAN or an ethernet channel. Also, interface ranges such as fa 0/25 - 26 are possible, and interface list, such as fa 0/24,fa 0/26, if you would like to monitor several clients at the same time. Also by repeating the command you can add ports, or remove using no. Mixing ports and VLANs is not possible in the same session, another restriction is that you cannot use a destination port as a source port.

  3. Define the destination port:
    monitor session 1 destination interface gi 0/1

    You can use a normal port, but not a VLAN. Similarly to above, a destination port cannot be a source port: a port used here can either be a source or a destination port, and only of one session. Again, you can specify multiple ports like above.

  4. You may want to exit configiration mode and save the config.
  5. You may have a look at your defined session – here multiple ports, tried like above:
    #show monitor session 1
    Session 1
    Type                   : Local Session
    Source Ports           :
        Both               : Fa0/24,Fa0/25-26
    Destination Ports      : Fa0/48,Gi0/1
        Encapsulation      : Native
              Ingress      : Disabled

    You can see an encapsulation here – optionally you can set it to replicate for replicating the source interface encapsulation method, such as by adding encapsulation replicate after the source interface. Furthermore, you can specify a direction (tx, rx, both), filter VLANs and more. The Ingress: Disabled line means that the switch will not accept any frames presented to it by your capture device on a destination port. For such finer details and for further restrictions and default settings have a look at the command reference of the IOS version of your switch.

Once you configured source and destination port, you can capture the traffic using your laptop connected to the destination port, for example with Wireshark.

The number of source sessions can be limited, for example the 3560 supports a maximum of 2.

After the capturing, don’t forget to remove this session configuration.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.