[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Port Mirroring with filtering

Posted on 2014-02-26
8
Medium Priority
?
381 Views
Last Modified: 2014-06-02
I have a monitor session configured on a Catalyst 3560 to capture traffic from 4 interfaces and dump it to one designated interface.

The designated interface is now overwhelmed with traffic...I need to modify the existing configuration to only capture specific traffic i.e. UDP and tcp ports 25 and 53

Here is the existing config:

monitor session 12 source interface Gi0/1 - 3 , Gi0/6
monitor session 12 destination interface Gi0/4
0
Comment
Question by:EKITA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39889081
According to:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swspan.html#wp1204187

Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
This doesn't surprise me as this is a fairly common set of capabilities.

The only filters I know of and could find in the document are:
You can select Receive or Transmit or Both.
And, obviously, you can select fewer ports to mirror at one time.
(I never mirror more than one port at a time but one imagines that it might be useful from time to time).

If you want to look at traffic going to a central node (like a gateway) then you might mirror just that one port.

If you monitor but a single port then there would seem to be no chance for "overwhelming".  And, I would be rather surprised if a few ports would be a problem.  Do you know why this is happening?  Looking at them one at a time should tell you.

Then the typical thing is to use Wireshark on the computer connected to the mirror port and filter the capture.  But, it doesn't sound like that's the immediate problem with overwhelming.  But, it will help with that sort of thing in a somewhat broader context.
0
 

Author Comment

by:EKITA
ID: 39889636
Ok. I looked at the same link you posted but I don't see how to configure port mirroring to capture on certain traffic types which is what I am trying to accomplish here.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39889918
Does the 3560 support an Etherchannel as the destination for monitoring? That would provide more bandwidth.

Tamas
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39890185
What I was trying to convey is that port mirroring doesn't have filters other than:
Tx, Rx, Both.  That's how I interpret their statement: "Packets of all types, including BPDU and Layer 2 protocol packets, are monitored"  
I don't take this to mean you can grab any of these that you like by selection.  I take it to mean that all of these *will* be monitored.

In view of this, I said what I said.... about Wireshark, etc.
0
 

Accepted Solution

by:
EKITA earned 0 total points
ID: 39903859
I take it that it cannot be done.

I want to filter by certain traffic type not by Tx, Rx or VLANs.
0
 

Author Closing Comment

by:EKITA
ID: 39915650
Required solution not possible
0
 

Expert Comment

by:mohannitin
ID: 40105628
the only way out to this is to capture the packets using wireshark and filter them on tcp ports
let me know if you can setup wireshark filters
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40107143
The chain of events is like this:

ALL packets, either TX, RX or Both are mirrored to the switch port you designate - they are "filtered" according to the source ports you select.  If you select one source port on the switch then that is all you will get at the mirror port.

Then, using Wireshark at your workstation connected to the mirror port, you can filter in 3 ways:

- You can filter the capture so the capture file only includes what you tell it to do.  This is more useful for long captures.
- You can filter the display of the capture file to only include what you tell it to do.  This is just fine for reasonable-length captures and gives the flexibility of looking at different things because everything is captured.
- You can filter the capture and then filter the display thereafter.  This is useful if the capture filter isn't TOO specific and you want to focus in.
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question