[cisco-nas] Re: Port Mirroring on a 3550
Andrei Ivanov
ivanov_andrei at yahoo.com
Sun Feb 6 02:10:47 EST 2005
Sat, 5 Feb 2005, Sam wrote:
> But now I'm not sure how to actually do the monitoring.
> If I plug my PC (running ethereal) into port 8, it does
> nothing.
I have linux server with two NICs. One is configured with
10.1.2.3/255.255.255.0 IP address, and another one is not
in use. Recently I needed to monitor traffic on one of the
router's ports, so I've configured port monitor on Cisco
switch (as Sam described in his email), and then connected
second NIC of the said server to that monitoring port,
and then configured eth1 interface with random IP address,
which *DOES NOT* belong to my network, and then ran tcpdump
to capture interesting traffic.
linux# ifconfig eth1 10.1.4.5 netmask 255.255.255.0 broadcast 10.1.4.255
linux# ifconfig eth1 up
linux# tcpdump -n -w /var/tmp/portmon -i eth1
^C
linux# ifconfig eth1 down
linux# tcpdump -n -r /var/tmp/portmon | less
It does not matter which IP address / netmask you'll choose for eth1.
You need just something which might look like legitimate combination
to be able to bring it into "up" state. Just don't choose address
belonging to your real network.
--
andrei
More information about the cisco-nas
mailing list