Applying span port for sniffer

Hi,
We want to sniff some traffic that is passing between two nodes in our network.
The flow will look like this;
Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
Controller A side belongs to us, hence we can only put sniffing on our end.
Please help to understand how to setup span port on a laptop in this setup.
If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
Appreciate all inputs.

That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
HTH
Luke

Similar Messages

  • CS11800 - Can I have a SPAN port for my IDS box?

    I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
    Thanks
    B

    I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
    I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
    Just my 2 cents. :)

  • Spanned port for IDS

    We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

    Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
    "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
    Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
    It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

  • Span Port (For Whole Vlan)

    Hi All,
    I have a similar setup to the attached. I want to make sure that I mirror all traffic going through vlan 1. The Server is my device that I will be mirroring all traffic to. How do I ensure that traffic from all switches on VLAN 1 is mirrored to the port the server is plugged into? 
    On the Core switch I currently have the following -
    monitor session 1 source vlan 1
    monitor session 1 destination interface Gi4/0/22  (This is where my server is plugged into)
    But I don't think I'm actually monitoring traffic from the other switches. Is there something else I need to add / configure on my access switching to ensure I'm spanning all VLAN 1 traffic from all switches to my server?
    Thanks

    Are you monitoring on an egress switch like the switch that the default gateway is for all of your users? If so, you should be capturing everything. If not, you'll possibly need to move your capture. This type of capture is local to a switch. The only other way that I know if is to create an RSPAN session on every switch that you want to capture from. You create a special remote span vlan. On the edge switch, monitor for vlan 1 as the source, and the destination is that special vlan. Do that for every switch. On your capture switch, monitor the source of the special vlan and then your destination would be your port. You would capture all traffic at that point..
    HTH,
    John

  • Span port destination vlan

    Hi All, I need to span a port for sniffer. Src port where server is located : gi 1/11(vlan 100) Dest port where sniffer pc is located: gi 1/25 My question is does the port gi1/25 needs to ve on a specific vlan? Can it be on the same vlan as source port I.r. vlan 100 ? Or should it be on any non-source vlan? thanks in advance

    Hi Thomas,
    Which model of switch are you enabling this span?
    Anyways you can have the destination port on any vlan depending on what interface you are monitoring. Only problem is that when you are monitoring a  VLAN rather than physical interface you need to be aware that "A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored"
    Hope that helps.
    Regards
    Najaf

  • Error while creating logical port for Reporting

    Hi,
    In one of the training materials for Duet Enterprise, i saw the steps for creating logical port for the consumer proxy /IWTNG/CO_PXY_RECORDS_REPOSITO.
    When i am trying to create the logical port, i am getting an error saying,
    " SRT Framework exception: Error in WSDL access: Exception occurred in communication framework:Error in HTTP Framework:500 Native SSL error
    https://<server:port>/_vti_bin/OBAFileReceiver.asmx?wsdl "
    I would like to know is it really necessary to create this logical port for "Reporting Scenario" and is it not created automaticallly using the Installation Wizard??
    And in case it has to be created, how to resolve this SRT framework exception?
    ~ Ramanath.

    Hi,
    the consumer proxy  /IWTNG/CO_PXY_RECORDS_REPOSITO was used in Duet Enterprise SP01. Now with SP02 the consume proxy /IWTNG/CO_OBAFILE_RECEIVER_SOA is created.
    However, the SSL error that you are getting looks a little strange (it does not mean that there is an error, but it is worth checking):
    So can you go to SOAMANAGER -> Service Administration -> Single Service Configuration. In here select "Consumer Proxy" from the "Search by", Search Pattern "/IWTNG/CO_OBAFILE_RECEIVER_SOA" and Field: Both.
    You should find one entry. Select it and click "Apply Selection".
    Now go to the Configurations tab. Here you should see one Logical Port with name "LOGICALPORTFORREPORTING" with Creation Type "Manually Created". In fact this logical port was created by the Wizard.
    Click on Display and scroll down again. Now in the "Additional Information" tab there is a string after HTTP Destination, e.g. 0050568E3F5A1ED096F22339C44BAF83.
    Copy this value and go to your SAP GUI -> Transaction SM59.
    Here click on Find/Search and search for this HTTP Destination. You should find one Type G RFC Destination that has the target host of your SharePoint server and the path prefix /_vti_bin/OBAFileReceiver.asmx.
    Now you can test the service. Just click on Connection Test. The result should be a HTTP Response: 200.
    If not, then something went wrong with the automatic configuration and we should take another look at it (for example maybe the SSL certificate from SharePoint that was imported by the Wizard is not valid)
    Regards,
    Holger.
    PS. Don't use the "Ping Web Service" test from SOAMANGER -- unfortunately this is not working consistently.

  • An error occurred while applying SQL script for the feature BackendStore.

    Hello,
    I am using my AD in Windows Azure VMs. I created new VM of A3 (4 cores, 7 GB Memory) Windows Server 2012 R2, Port 1433 MSSQL added, made it a member of Domain and planned to install first Lync Server 2013 on it.
    In "Setup or Remove Lync Server Components" of "Install or Update Lync Server System", got an Red Coloured text "An error
    occurred while applying SQL script for the feature BackendStore."
    I have not enabled monitoring and archiving server in topology builder. I added "Network Service" and assign "Full Control" in Security Permissions of "C:\CsData" and "C:\LyncShare".
    I executed the SQL Setup Wizard and upgraded any instance to 2012.
    Please guide.
    Thanks, Divyaprakash Koli

    Please check you have enough disk space for the disk where the folders are.
    Check view log for detailed log information.
    The following link is a similar thread for you to refer:
    http://social.technet.microsoft.com/Forums/lync/en-US/a3cb9ab0-7451-4df5-af96-3d2784d1b075/an-error-occurred-while-applying-sql-script-for-the-feature-backendstore-for-details-see-the-log?forum=lyncdeploy
    Lisa Zheng
    TechNet Community Support

  • One Thunderbolt port for two HDMI devices?

    Hello
    I was wondering, is there some sort of adapter that I can put in the thunderbolt port for my mac mini and connect two hdmi devices (monitors)?
                                  HDMI 1
    Mac Mini - 1 TB <
                                  HDMI 2

    Use the HDMI port for one monitor and a mini displayport to HDMI adopter on the other. That adopter plugs into the Thunderbolt port.
    You want to set them up as extended displays.
    he following also applies to Yosemite
    http://support.apple.com/kb/HT5891
    OS X: Using multiple displays in Mavericks

  • Do I need to open ports for NTP?

    I just noticed that my hwclock was off by nearly 30 seconds. It's almost certainly due to the recent initscripts update.
    As I was looking into resetting the clock, I found out that openntpd is deprecated so I've switched to ntp, configured the daemon, reset the time with ntpd -q, and started the daemon. The time is not accurate again.
    I remember back when I first installed Arch I tried to set up ntp but it didn't seem to work, so I tried openntpd and stuck with that. I reached the conclusion that ntp required open ports, which I felt was unnecessary given that openntpd could do the same thing without open ports.
    Now that I'm looking at it again, I can't find any definitive answer...
    Do I need to open ports for ntp if I only want to sync the system that it's running on?

    ISC ntpd (the ntp package) will open UDP 123 on all your interfaces regardless of what you do with it. It will work anyway even if you block this port in iptables, assuming that you're allowing responses to established traffic as usual - your outbound mobilization requests to your chosen servers will be enough to allow the responses, and the same with further traffic sent for the lifetime of ntpd. Using iptables like this is probably the easiest way to secure ntpd.
    There's also some defense in depth you can do:
    - run ntpd as non-root
    - run it chrooted to some safe directory (really only makes sense when doing non-root as well, since root can break out of a chroot)
    - apply ntpd's built-in access controls (see examples in ntpd.conf, and full docs in ntp_acc(5))
    I accomplish the first two of these by chowning /var/lib/ntp (and any contents) to ntp:ntp (so ntpd can write ntp.drift there when non-root), by using a driftfile path relative to the chroot in ntp.conf, and by setting NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp" in /etc/conf.d/ntp-client.conf.
    For the third, I chose to not allow any remote traffic to initiate anything with my ntpd, with this /etc/ntp.conf:
    server ac-ntp0.net.cmu.edu iburst
    server ac-ntp1.net.cmu.edu iburst
    server ac-ntp2.net.cmu.edu iburst
    server ac-ntp3.net.cmu.edu iburst
    server ac-ntp4.net.cmu.edu iburst
    restrict default nomodify nopeer noquery
    restrict 127.0.0.1
    driftfile /ntp.drift
    Note the two "restrict" lines. The first shuts out remote access of most kinds, and the second allows the local machine all the access that would also be denied to it as well otherwise by the first rule. Note also the driftfile path, relative to the chroot of /var/lib/ntp/.
    With all these security features, ISC ntpd can be just as safe as openntpd.
    The use of the "iburst" keyword on the server lines to recover more quickly from out-of-contact conditions is also quite nice, and not rude to the remotes like "burst" would be.
    One of the nicest other features of ISC ntpd is that it's smart enough to notice when network state changes occur, like bringing a VPN up/down, changing routes, or switching from wired to wireless and back. openntpd tended to just lose connections in these cases.

  • Is SPAN port not allowed in Nexus FEX Port ?

    Hi
        Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
    Is there any way to solve the problem?
    n5k-N2K(config-monitor)# destination ?
      interface  Configure interfaces
    n5k-N2K(config-monitor)# destination interface eth102/1/18
    ERROR: Eth102/1/18: Configuration not allowed on fex interface
    N5K VERSION
    Cisco Nexus Operating System (NX-OS) Software
    TAC support: http://www.cisco.com/tac
    Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    Software
      BIOS:      version 1.2.0
      loader:    version N/A
      kickstart: version 4.0(1a)N2(1)
      system:    version 4.0(1a)N2(1)
      BIOS compile time:       06/19/08
      kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
      kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
      system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
      system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

      Hi,
    A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
    See link below for more info:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
    HTH

  • Need to setup monitoring aon multiple ports for IDS

    I have a cisco 3845. I need to need to setup monitoring aon multiple ports for IDS on 2 ports. How do I do this.
    Also,
    Is there a way to make ports on the switch portion act like hubs.
    Thanks

    I assume that you are referring to the Ethernet Switch Module in the 3845. If so it should support SPAN. Here is a SPAN configurations guide:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122z/122zj15/fz1636nm.htm#1820129

  • Set-VMNetworkAdapterVlan throws Failed while applying switch port settings 'Ethernet Switch Port VLAN Settings' error

    Hi,
    I'm following this
    guide I'm getting an error when running the below command:
    Set-VMNetworkAdapterVlan -vmname PurpleVM1 -Isolated -PrimaryVlanId 2 –SecondaryVlanId 4
    Generates the following error:
    Set-VMNetworkAdapterVlan : The operation failed.
    Failed while applying switch port settings 'Ethernet Switch Port VLAN Settings' on switch 'New Virtual Switch': One or
    more arguments are invalid (0x80070057).
    A parameter that is not valid was passed to the operation.
    Does anyone know why this is happening?
    ta

    Hi TomG101,
    It seems that there is a configuration conflict on the virtual switch port .
    Also I tested the command on my lab , it works .
    For troubleshooting please  create a new virtual switch then try to configure again .
    Any further information please feel free to let us know .
    Best Regards
    Elton Ji
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Configuring port for J2EE

    Hi all,
    Could any one help me in configuring j2ee port for PI 7.0 as i am not able to connect to sxmb_ifr and to when i run the transaction scsmi i find no port number for http port .
    Thanx in Advance

    Hi,
    Please check if you have maintained the SLD Connection Parameters , if not please do as follows:
    Maintaining SLD Connection Parameters
    1. Log on to the SAP System and call transaction
    SLDAPICUST.
    The screen Maintain SLD Access Data is displayed.
    2. Choose Display<-> Change, and then proceed as follows:
    a. Choose Insert Row.
    b. Enter the connection parameters to the SLD:
    &#8722; Host Name: host name of the SLD host
    &#8722; Port: HTTP port of the J2EE engine (The following naming convention applies: 5<J2EE_instance_number>00. 50000, for example, if your J2EE instance is 00).
    &#8722; User
    &#8722; Password.
    c. Set your entry as Primary.Only the Primary marked entry is active.
    d. Save.
    *Pls: Reward points if helpful*
    Regards,
    Jyoti

  • SPAN Configuration for IDSM

    Dears,
    We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.
    Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,
    And we are using both, one is for FWSM and the second one for IDSM.
    Any one can help and suggest for another option?
    Thanks.

    When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM.  To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.
    I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:
    http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820
    There's also an example of these commands in the "FWSM Basic Configuration Example" here:
    http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw
    A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations.  You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:
    http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828
    If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

  • Monitor or Span port Vulnerablility

    Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?

    It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
    http://www.infoworld.com/article/03/03/04/HNsnort_1.html

Maybe you are looking for

  • Issue with billing release to accounting results in a an error.

    When using TC VF02 and selecting Release to Accounting option. I get error msg. Tax statement item missing for tax code Y0. msg code FF805. I did check the tax code and the g/l account related to the tax code and it looks ok. Everything was working f

  • How to populate the payment block through the BAPI_INCOMINGINVOICE_CREATE

    Hi, I am trying to create the incoming invoice through the BAPI (BAPI_INCOMINGINVOICE_CREATE) . In MIRO transaction when i create the Invoice without any tax , the <b>payment block shows free for payement</b> . How to give create the invoice with the

  • Can Adobe Reader do flick panning?

    Can Adobe Reader do flick panning (like in Photoshop)? For example: You're zoomed in on a very large page and you use the hand tool to pan the page in a swipe or flicking motion (the same motion you'd use to pan the page). The page would pan in a flu

  • Just updated CC 2014, Photoshop launches with message to run Photoshop Installer: where is this?

    On updating Photoshop CC 2014 and launching I get a dialog, "One or more files in the Adobe Application Support folder, necessary for sunning Photoshop, are missing. Please run the Photoshop installer and reinstall Photoshop." Where is Photoshop Inst

  • What roles a user has used

    At our company, people move around a lot.  Typically they get given additional roles, but old roles don't get removed.  I have been tasked to trim our users roles.  So my question is, "Is there any way to determine what roles have been needed by the