?
Solved

Port Mirroring with filtering

Posted on 2014-02-26
8
Medium Priority
?
375 Views
Last Modified: 2014-06-02
I have a monitor session configured on a Catalyst 3560 to capture traffic from 4 interfaces and dump it to one designated interface.

The designated interface is now overwhelmed with traffic...I need to modify the existing configuration to only capture specific traffic i.e. UDP and tcp ports 25 and 53

Here is the existing config:

monitor session 12 source interface Gi0/1 - 3 , Gi0/6
monitor session 12 destination interface Gi0/4
0
Comment
Question by:EKITA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39889081
According to:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swspan.html#wp1204187

Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
This doesn't surprise me as this is a fairly common set of capabilities.

The only filters I know of and could find in the document are:
You can select Receive or Transmit or Both.
And, obviously, you can select fewer ports to mirror at one time.
(I never mirror more than one port at a time but one imagines that it might be useful from time to time).

If you want to look at traffic going to a central node (like a gateway) then you might mirror just that one port.

If you monitor but a single port then there would seem to be no chance for "overwhelming".  And, I would be rather surprised if a few ports would be a problem.  Do you know why this is happening?  Looking at them one at a time should tell you.

Then the typical thing is to use Wireshark on the computer connected to the mirror port and filter the capture.  But, it doesn't sound like that's the immediate problem with overwhelming.  But, it will help with that sort of thing in a somewhat broader context.
0
 

Author Comment

by:EKITA
ID: 39889636
Ok. I looked at the same link you posted but I don't see how to configure port mirroring to capture on certain traffic types which is what I am trying to accomplish here.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39889918
Does the 3560 support an Etherchannel as the destination for monitoring? That would provide more bandwidth.

Tamas
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39890185
What I was trying to convey is that port mirroring doesn't have filters other than:
Tx, Rx, Both.  That's how I interpret their statement: "Packets of all types, including BPDU and Layer 2 protocol packets, are monitored"  
I don't take this to mean you can grab any of these that you like by selection.  I take it to mean that all of these *will* be monitored.

In view of this, I said what I said.... about Wireshark, etc.
0
 

Accepted Solution

by:
EKITA earned 0 total points
ID: 39903859
I take it that it cannot be done.

I want to filter by certain traffic type not by Tx, Rx or VLANs.
0
 

Author Closing Comment

by:EKITA
ID: 39915650
Required solution not possible
0
 

Expert Comment

by:mohannitin
ID: 40105628
the only way out to this is to capture the packets using wireshark and filter them on tcp ports
let me know if you can setup wireshark filters
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40107143
The chain of events is like this:

ALL packets, either TX, RX or Both are mirrored to the switch port you designate - they are "filtered" according to the source ports you select.  If you select one source port on the switch then that is all you will get at the mirror port.

Then, using Wireshark at your workstation connected to the mirror port, you can filter in 3 ways:

- You can filter the capture so the capture file only includes what you tell it to do.  This is more useful for long captures.
- You can filter the display of the capture file to only include what you tell it to do.  This is just fine for reasonable-length captures and gives the flexibility of looking at different things because everything is captured.
- You can filter the capture and then filter the display thereafter.  This is useful if the capture filter isn't TOO specific and you want to focus in.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question