Solved

Port Mirroring with filtering

Posted on 2014-02-26
8
364 Views
Last Modified: 2014-06-02
I have a monitor session configured on a Catalyst 3560 to capture traffic from 4 interfaces and dump it to one designated interface.

The designated interface is now overwhelmed with traffic...I need to modify the existing configuration to only capture specific traffic i.e. UDP and tcp ports 25 and 53

Here is the existing config:

monitor session 12 source interface Gi0/1 - 3 , Gi0/6
monitor session 12 destination interface Gi0/4
0
Comment
Question by:EKITA
8 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39889081
According to:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swspan.html#wp1204187

Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
This doesn't surprise me as this is a fairly common set of capabilities.

The only filters I know of and could find in the document are:
You can select Receive or Transmit or Both.
And, obviously, you can select fewer ports to mirror at one time.
(I never mirror more than one port at a time but one imagines that it might be useful from time to time).

If you want to look at traffic going to a central node (like a gateway) then you might mirror just that one port.

If you monitor but a single port then there would seem to be no chance for "overwhelming".  And, I would be rather surprised if a few ports would be a problem.  Do you know why this is happening?  Looking at them one at a time should tell you.

Then the typical thing is to use Wireshark on the computer connected to the mirror port and filter the capture.  But, it doesn't sound like that's the immediate problem with overwhelming.  But, it will help with that sort of thing in a somewhat broader context.
0
 

Author Comment

by:EKITA
ID: 39889636
Ok. I looked at the same link you posted but I don't see how to configure port mirroring to capture on certain traffic types which is what I am trying to accomplish here.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39889918
Does the 3560 support an Etherchannel as the destination for monitoring? That would provide more bandwidth.

Tamas
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39890185
What I was trying to convey is that port mirroring doesn't have filters other than:
Tx, Rx, Both.  That's how I interpret their statement: "Packets of all types, including BPDU and Layer 2 protocol packets, are monitored"  
I don't take this to mean you can grab any of these that you like by selection.  I take it to mean that all of these *will* be monitored.

In view of this, I said what I said.... about Wireshark, etc.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Accepted Solution

by:
EKITA earned 0 total points
ID: 39903859
I take it that it cannot be done.

I want to filter by certain traffic type not by Tx, Rx or VLANs.
0
 

Author Closing Comment

by:EKITA
ID: 39915650
Required solution not possible
0
 

Expert Comment

by:mohannitin
ID: 40105628
the only way out to this is to capture the packets using wireshark and filter them on tcp ports
let me know if you can setup wireshark filters
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40107143
The chain of events is like this:

ALL packets, either TX, RX or Both are mirrored to the switch port you designate - they are "filtered" according to the source ports you select.  If you select one source port on the switch then that is all you will get at the mirror port.

Then, using Wireshark at your workstation connected to the mirror port, you can filter in 3 ways:

- You can filter the capture so the capture file only includes what you tell it to do.  This is more useful for long captures.
- You can filter the display of the capture file to only include what you tell it to do.  This is just fine for reasonable-length captures and gives the flexibility of looking at different things because everything is captured.
- You can filter the capture and then filter the display thereafter.  This is useful if the capture filter isn't TOO specific and you want to focus in.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now