Sniffing and packet analyzer question

Posted on 2006-11-30
Last Modified: 2013-12-07
I have a question regarding packet sniffing a particular host on a switched network.  i am using Ethereal (b/c it's free) and would like to gather and report on the traffic i collect.    

The host machine is running a specific, bandwidth-intesive application.  There are multiple hi-res images involved and streaming data.  The performance of this host has been suffering since installation, especially when compared to similar workstations installed throughout the organization.  but the vendor will not reload the app or rebuild the workstation until i run a sniffer.  

The switch that my sniffer laptop and target host are on is a cisco 3560.

my question is this:   How do i get around the switch's arp table and sniff the incoming/outgoing packets from the target host?  as you know, b/c of the switch's arp table, the traffic that is intended for the target host is going directly to it. and vice versa.  now i have read about arp-spoofing and arp-poisoning, but aren't those a little malicious for a simple network admin task?  is there maybe a setting on the cisco switch that i can change, or do i really need to run a seperate app to spoof my switch into sending my sniffer laptop data?  

any help or direction would be greatly appreciated!


Question by:dtocco

Expert Comment

ID: 18049862
I recommend you use the "span" feature of the cisco switch.  You can configure a port to mirror traffic that is going through the switch out one port.

Expert Comment

ID: 18050381
I like ryandale56's suggestion.

If you do not want to do that you could always put a cheap hub between that computer and the switch and plug yourself into the hub as well it to sniff the traffic. Band-aid sniff, but should work!

Expert Comment

ID: 18050783
You can enable NBAR (Network Based Application Recognition) on the switch interface. This would enable you to get an idea of what percentage of bandwidth is being used for what protocol. When the app is running check the nbar report and that will show the bandwidth utilization of the protocol the app is using.

Following command will show you top 5 protocols using up bandwidth:
    show ip nbar proto top-n 5


Accepted Solution

WGhen earned 250 total points
ID: 18053113
We do this all the time.  If it is a Cisco switch, you span a port to the sniffer port.  So if the server is connected to switch port 5/7 for instance, and the sniffing device is on port 8/38, you would enter (for CatOS):

CatSwitch> (enable) set span 5/7 8/38

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

CatSwitch> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

Total local span sessions:  1

Or for IOS switches:

monitor session 1 source interface fa5/7
monitor session 1 destination interface fa8/38


Author Comment

ID: 18056476
Thanks for all the responses.  That was exactly what i was looking for and was very helpful and educational.  

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wireshark 2 computers 8 45
Getting locked out and can't access Cisco via the web 18 40
PCI Compliance Free scan 2 79
Hybrid WAN vs SD WAN 4 36
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now