[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 387
  • Last Modified:

Port Mirroring with filtering

I have a monitor session configured on a Catalyst 3560 to capture traffic from 4 interfaces and dump it to one designated interface.

The designated interface is now overwhelmed with traffic...I need to modify the existing configuration to only capture specific traffic i.e. UDP and tcp ports 25 and 53

Here is the existing config:

monitor session 12 source interface Gi0/1 - 3 , Gi0/6
monitor session 12 destination interface Gi0/4
0
EKITA
Asked:
EKITA
1 Solution
 
Fred MarshallPrincipalCommented:
According to:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swspan.html#wp1204187

Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
This doesn't surprise me as this is a fairly common set of capabilities.

The only filters I know of and could find in the document are:
You can select Receive or Transmit or Both.
And, obviously, you can select fewer ports to mirror at one time.
(I never mirror more than one port at a time but one imagines that it might be useful from time to time).

If you want to look at traffic going to a central node (like a gateway) then you might mirror just that one port.

If you monitor but a single port then there would seem to be no chance for "overwhelming".  And, I would be rather surprised if a few ports would be a problem.  Do you know why this is happening?  Looking at them one at a time should tell you.

Then the typical thing is to use Wireshark on the computer connected to the mirror port and filter the capture.  But, it doesn't sound like that's the immediate problem with overwhelming.  But, it will help with that sort of thing in a somewhat broader context.
0
 
EKITAAuthor Commented:
Ok. I looked at the same link you posted but I don't see how to configure port mirroring to capture on certain traffic types which is what I am trying to accomplish here.
0
 
TimotiStDatacenter TechnicianCommented:
Does the 3560 support an Etherchannel as the destination for monitoring? That would provide more bandwidth.

Tamas
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Fred MarshallPrincipalCommented:
What I was trying to convey is that port mirroring doesn't have filters other than:
Tx, Rx, Both.  That's how I interpret their statement: "Packets of all types, including BPDU and Layer 2 protocol packets, are monitored"  
I don't take this to mean you can grab any of these that you like by selection.  I take it to mean that all of these *will* be monitored.

In view of this, I said what I said.... about Wireshark, etc.
0
 
EKITAAuthor Commented:
I take it that it cannot be done.

I want to filter by certain traffic type not by Tx, Rx or VLANs.
0
 
EKITAAuthor Commented:
Required solution not possible
0
 
mohannitinCommented:
the only way out to this is to capture the packets using wireshark and filter them on tcp ports
let me know if you can setup wireshark filters
0
 
Fred MarshallPrincipalCommented:
The chain of events is like this:

ALL packets, either TX, RX or Both are mirrored to the switch port you designate - they are "filtered" according to the source ports you select.  If you select one source port on the switch then that is all you will get at the mirror port.

Then, using Wireshark at your workstation connected to the mirror port, you can filter in 3 ways:

- You can filter the capture so the capture file only includes what you tell it to do.  This is more useful for long captures.
- You can filter the display of the capture file to only include what you tell it to do.  This is just fine for reasonable-length captures and gives the flexibility of looking at different things because everything is captured.
- You can filter the capture and then filter the display thereafter.  This is useful if the capture filter isn't TOO specific and you want to focus in.
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now