Cisco 3550 / SPAN / Sniffing - IP of sniffer
Posted on 2004-04-28
Got a quick question (it's after hours, network admins not around, and I'm impatient and would like to have a traffic analyzer in place in the morning).
Here's the deal: Cisco 3550 switch, port 1 connected to PIX firewall (which all network traffic flows through), and a SPAN session created between port 1 and 48.
My initial thoughts were that if I slapped a W2K3 server in there, connected one of its NICs to port 48, and assigned it an IP address, subnet mask, and blank gateway, that it would sit there quietly and Ethereal would display all the blinky traffic that the NIC sees. I can visually see that ports 1 and 48 have a lot of activity on them and that the NIC's RX light is going nuts, too. However, I can see in the Windows Status window for the interface that it is sending packets (verified with Ethereal, it's trying to send out broadcasts), but receiving 0 packets (verified this with Ethereal too, but wasn't real hard. :)) No firewall, IPsec rules, RRAS or anything applied to that NIC.
The only piece in the puzzle that I'm clueless about is the actual IP address of the PIX interface (so I'm guessing as to which subnet it might be on and assigning the W2K3 NIC an address in that subnet).
I could guess that ingress traffic is disabled on that Cisco span session since the NIC can't even get DHCP, but still, I would think there would be some way for Ethereal to see all traffic on an interface regardless of the IP address configuration of the interface. Am I thinking correctly?
What gives? (and yes, I have kicked it multiple times already with no change.)