[c-nsp] SPAN - 6509 Switch

Paul Stewart pauls at nexicom.net
Thu Mar 17 15:14:16 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the response Tim...

I've tried it with the physical interfaces instead of VLAN's and am only
getting Vlan1 based traffic....

Here's output:

gw-6509-1#sh monitor session 1
Session 1
- ---------
Type                   : Local Session
Source Ports           :
~    Both               : Gi1/2
Destination Ports      : Gi6/47

gw-6509-1#sh interfaces GigabitEthernet 6/47
GigabitEthernet6/47 is up, line protocol is down (monitoring)
~  Hardware is C6k 1000Mb 802.3, address is 0004.defd.f40a (bia
0004.defd.f40a)
~  Description: Capture Port - Paul
~  MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,
~     reliability 255/255, txload 219/255, rxload 1/255
~  Encapsulation ARPA, loopback not set
~  Keepalive set (10 sec)
~  Full-duplex, 100Mb/s
~  input flow-control is off, output flow-control is off
~  Clock mode is auto
~  ARP type: ARPA, ARP Timeout 04:00:00
~  Last input never, output never, output hang never
~  Last clearing of "show interface" counters 3w3d
~  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
~  Queueing strategy: fifo
~  Output queue: 0/40 (size/max)
~  5 minute input rate 0 bits/sec, 0 packets/sec
~  5 minute output rate 115929000 bits/sec, 35658 packets/sec
~  L2 Switched: ucast: 2 pkt, 128 bytes - mcast: 0 pkt, 0 bytes
~  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
~  L3 out Switched: ucast: 0 pkt, 0 bytes
~     1594 packets input, 192040 bytes, 0 no buffer
~     Received 415 broadcasts (0 IP multicast)
~     0 runts, 0 giants, 0 throttles
~     2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
~     0 watchdog, 0 multicast, 0 pause input
~     0 input packets with dribble condition detected
~     83970921 packets output, 35914120731 bytes, 0 underruns
~     0 output errors, 0 collisions, 4 interface resets
~     0 babbles, 0 late collision, 0 deferred
~     0 lost carrier, 0 no carrier, 0 PAUSE output
~     0 output buffer failures, 0 output buffers swapped out


Now, I"m actually trying to monitor something a little smaller but was
experimenting.. it looks like the session is working.... must be an
ethereal issue.... would that sound right?

I"m just using my notebook computer with XP and Ethereal loaded to try
and find what kind of traffic we are passing right now... we're having
some weird issues on our system....

On Ethereal, I'm only processing about 5 packets a second... I can
understand that I'm not going to process thousands a second on an XP
notebook but just looking for a feel...

Any input would be appreciated..
Paul


Tim Stevenson wrote:
| Both is the default, if you don't specify, you get both tx & rx.
|
| Was the config you posted from the switch or hand-typed? eg, could the
| source & dest monitor session #s be mismatched/incorrect? Perhaps post a
| show monitor.
|
| Tim
|
| At 10:53 AM 3/17/2005, Paul Stewart declared:
|
| oops... :)  going to try "both" and go from there...
|
| thanks for the feedback...
|
| Paul
|
|
| Voll, Scott wrote:
| | Did you use monitor session 1 source vlan 50 both?  What Sup are you
| | using?
| |
| | -----Original Message-----
| | From: Paul Stewart [mailto:pauls at nexicom.net]
| | Sent: Thursday, March 17, 2005 10:34 AM
| | To: Voll, Scott
| | Cc: cisco-nsp at puck.nether.net
| | Subject: Re: [c-nsp] SPAN - 6509 Switch
| |
| | Basically I want to sniff all the traffic going through that VLAN
| | inbound/outbound.  When I do sniff I only seem to stp and vtp traffic..
| | a little arp but that's it..
| |
| | Vlan50 has over 50 Mb/s of data on it
| |
| | Does that answer your question? :)
| |
| | Paul
| |
| |
| | Voll, Scott wrote:
| | | What do you mean by not getting a Mirror? Are you not receiving TX or
| | RX
| | | or Both?  Or are you looking for inter Vlan traffic?
| | |
| | |
| | |
| | | -----Original Message-----
| | | From: cisco-nsp-bounces at puck.nether.net
| | | [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
| | | Sent: Thursday, March 17, 2005 10:26 AM
| | | To: cisco-nsp at puck.nether.net
| | | Subject: [c-nsp] SPAN - 6509 Switch
| | |
| | | Hi there...
| | |
| | | I'm trying to capture all traffic in particular VLAN's and mirror
| them
| | | to a port on our 6509.  Then use Ethereal to see what's going on
| | inside
| | | of these VLAN's .... we're seeing a TONNE of ARP and ICMP traffic
| | | throughout our system and I need to figure out why...
| | |
| | | Here's what I've got:
| | |
| | | interface GigabitEthernet6/47
| | | ~ description Capture Port - Paul
| | | ~ no ip address
| | | ~ switchport
| | | ~ no cdp enable
| | |
| | | interface Vlan50
| | | ~ description RAS Gear/Routers
| | | ~ ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
| | | ~ ip access-group 100 out
| | | ~ no ip redirects
| | |
| | |
| | | monitor session 1 source vlan 50
| | | monitor session 1 destination interface Gi6/47
| | |
| | |
| | | When I plug into Gig 6/47 I don't get a "mirror" of everything on
| | | Vlan50... why not? :)  I need to sniff inside of VLAN's on a 6509 so
| | any
| | | input is much appreciated...
| | |
| | | Thanks,
| | |
| | | Paul
| | |
|>
|>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

| Tim Stevenson, tstevens at cisco.com
| Routing & Switching CCIE #5561
| Technical Marketing Engineer, Catalyst 6500
| Cisco Systems, http://www.cisco.com
| IP Phone: 408-526-6759
| ********************************************************
| The contents of this message may be *Cisco Confidential*
| and are intended for the specified recipients only.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCOeUYqMetgU57IuQRAszAAJwOMqIEnzUDU9IZ98+Ru3xbEvbE2ACfZTuq
ErkffORl/sPMU+2DGv/Q8CM=
=LZ6q
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list