Solved

Port Mirroring with filtering

Posted on 2014-02-26
8
370 Views
Last Modified: 2014-06-02
I have a monitor session configured on a Catalyst 3560 to capture traffic from 4 interfaces and dump it to one designated interface.

The designated interface is now overwhelmed with traffic...I need to modify the existing configuration to only capture specific traffic i.e. UDP and tcp ports 25 and 53

Here is the existing config:

monitor session 12 source interface Gi0/1 - 3 , Gi0/6
monitor session 12 destination interface Gi0/4
0
Comment
Question by:EKITA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39889081
According to:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swspan.html#wp1204187

Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
This doesn't surprise me as this is a fairly common set of capabilities.

The only filters I know of and could find in the document are:
You can select Receive or Transmit or Both.
And, obviously, you can select fewer ports to mirror at one time.
(I never mirror more than one port at a time but one imagines that it might be useful from time to time).

If you want to look at traffic going to a central node (like a gateway) then you might mirror just that one port.

If you monitor but a single port then there would seem to be no chance for "overwhelming".  And, I would be rather surprised if a few ports would be a problem.  Do you know why this is happening?  Looking at them one at a time should tell you.

Then the typical thing is to use Wireshark on the computer connected to the mirror port and filter the capture.  But, it doesn't sound like that's the immediate problem with overwhelming.  But, it will help with that sort of thing in a somewhat broader context.
0
 

Author Comment

by:EKITA
ID: 39889636
Ok. I looked at the same link you posted but I don't see how to configure port mirroring to capture on certain traffic types which is what I am trying to accomplish here.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39889918
Does the 3560 support an Etherchannel as the destination for monitoring? That would provide more bandwidth.

Tamas
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39890185
What I was trying to convey is that port mirroring doesn't have filters other than:
Tx, Rx, Both.  That's how I interpret their statement: "Packets of all types, including BPDU and Layer 2 protocol packets, are monitored"  
I don't take this to mean you can grab any of these that you like by selection.  I take it to mean that all of these *will* be monitored.

In view of this, I said what I said.... about Wireshark, etc.
0
 

Accepted Solution

by:
EKITA earned 0 total points
ID: 39903859
I take it that it cannot be done.

I want to filter by certain traffic type not by Tx, Rx or VLANs.
0
 

Author Closing Comment

by:EKITA
ID: 39915650
Required solution not possible
0
 

Expert Comment

by:mohannitin
ID: 40105628
the only way out to this is to capture the packets using wireshark and filter them on tcp ports
let me know if you can setup wireshark filters
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40107143
The chain of events is like this:

ALL packets, either TX, RX or Both are mirrored to the switch port you designate - they are "filtered" according to the source ports you select.  If you select one source port on the switch then that is all you will get at the mirror port.

Then, using Wireshark at your workstation connected to the mirror port, you can filter in 3 ways:

- You can filter the capture so the capture file only includes what you tell it to do.  This is more useful for long captures.
- You can filter the display of the capture file to only include what you tell it to do.  This is just fine for reasonable-length captures and gives the flexibility of looking at different things because everything is captured.
- You can filter the capture and then filter the display thereafter.  This is useful if the capture filter isn't TOO specific and you want to focus in.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question