Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Sniffing and packet analyzer question

Posted on 2006-11-30
Medium Priority
Last Modified: 2013-12-07
I have a question regarding packet sniffing a particular host on a switched network.  i am using Ethereal (b/c it's free) and would like to gather and report on the traffic i collect.    

The host machine is running a specific, bandwidth-intesive application.  There are multiple hi-res images involved and streaming data.  The performance of this host has been suffering since installation, especially when compared to similar workstations installed throughout the organization.  but the vendor will not reload the app or rebuild the workstation until i run a sniffer.  

The switch that my sniffer laptop and target host are on is a cisco 3560.

my question is this:   How do i get around the switch's arp table and sniff the incoming/outgoing packets from the target host?  as you know, b/c of the switch's arp table, the traffic that is intended for the target host is going directly to it. and vice versa.  now i have read about arp-spoofing and arp-poisoning, but aren't those a little malicious for a simple network admin task?  is there maybe a setting on the cisco switch that i can change, or do i really need to run a seperate app to spoof my switch into sending my sniffer laptop data?  

any help or direction would be greatly appreciated!


Question by:dtocco
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 18049862
I recommend you use the "span" feature of the cisco switch.  You can configure a port to mirror traffic that is going through the switch out one port.

Expert Comment

ID: 18050381
I like ryandale56's suggestion.

If you do not want to do that you could always put a cheap hub between that computer and the switch and plug yourself into the hub as well it to sniff the traffic. Band-aid sniff, but should work!

Expert Comment

ID: 18050783
You can enable NBAR (Network Based Application Recognition) on the switch interface. This would enable you to get an idea of what percentage of bandwidth is being used for what protocol. When the app is running check the nbar report and that will show the bandwidth utilization of the protocol the app is using.

Following command will show you top 5 protocols using up bandwidth:
    show ip nbar proto top-n 5


Accepted Solution

WGhen earned 1000 total points
ID: 18053113
We do this all the time.  If it is a Cisco switch, you span a port to the sniffer port.  So if the server is connected to switch port 5/7 for instance, and the sniffing device is on port 8/38, you would enter (for CatOS):

CatSwitch> (enable) set span 5/7 8/38

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

CatSwitch> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

Total local span sessions:  1

Or for IOS switches:

monitor session 1 source interface fa5/7
monitor session 1 destination interface fa8/38


Author Comment

ID: 18056476
Thanks for all the responses.  That was exactly what i was looking for and was very helpful and educational.  

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question