Solved

Cisco 3550 / SPAN / Sniffing - IP of sniffer

Posted on 2004-04-28
2
2,769 Views
Last Modified: 2008-02-01
Got a quick question (it's after hours, network admins not around, and I'm impatient and would like to have a traffic analyzer in place in the morning).

Here's the deal: Cisco 3550 switch, port 1 connected to PIX firewall (which all network traffic flows through), and a SPAN session created between port 1 and 48.

My initial thoughts were that if I slapped a W2K3 server in there, connected one of its NICs to port 48, and assigned it an IP address, subnet mask, and blank gateway, that it would sit there quietly and Ethereal would display all the blinky traffic that the NIC sees. I can visually see that ports 1 and 48 have a lot of activity on them and that the NIC's RX light is going nuts, too. However, I can see in the Windows Status window for the interface that it is sending packets (verified with Ethereal, it's trying to send out broadcasts), but receiving 0 packets (verified this with Ethereal too, but wasn't real hard. :)) No firewall, IPsec rules, RRAS or anything applied to that NIC.

The only piece in the puzzle that I'm clueless about is the actual IP address of the PIX interface (so I'm guessing as to which subnet it might be on and assigning the W2K3 NIC an address in that subnet).

I could guess that ingress traffic is disabled on that Cisco span session since the NIC can't even get DHCP, but still, I would think there would be some way for Ethereal to see all traffic on an interface regardless of the IP address configuration of the interface. Am I thinking correctly?

What gives? (and yes, I have kicked it multiple times already with no change.)

Thanks,
Brandon
0
Comment
Question by:BrandonPotter
2 Comments
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 10944456
Ethereal needs another piece (PCAP?) to put the NIC into promiscuous mode and actually capture packets.  Have you done that?

If your SPAN config is correct, packets in/out of port 1 will be copied to port 48.  So either (a) your config isn't correct -- show us, please?, or (b) the PC isn't listening to the packets that come to the port.  (With some sniffers, the sniffing interface doesn't need an IP address, etc, assigned, and in fact works better without -- not sure whether this is true of Ethereal.)

0
 

Author Comment

by:BrandonPotter
ID: 10944600
Promiscuous mode was not turned on, so that was indeed the problem! Always those little check boxes that get you into trouble. :)

Thanks!
Brandon
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Direct Access 2012R2 Two Network Card Configuration Behind TMG 2010 3 27
Packet Tracer Router to Router 10 59
Public DNS? 10 52
NAS with google authentication 6 61
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now