NAM2 showing traffic even Spanned port is shutdown

Similar Messages

• Internet Traffic Even When Mail And Safari Shutdown?

  I have just noticed that my SurplusMeter is detecting slight internet traffic even with Safari and Mail shutdown.
  I have, of course, Surplus Meter open, together with ClamXav.
  The Bytes Up and Bytes Down fields jump a few hundred every 5 seconds or so and when timed, the meter moved by 0.1MB every 4 minutes.
  This would represent about 1.5MB per hour and over 20MB per working day (8am to 11pm) which I would have noticed before as I frequently use less than 10MB per day.
  In the past I have come back to my meter after hours and it hasn't moved.
  Any ideas what might be causing this slight trickle of activity?

  I have just noticed that my SurplusMeter is detecting slight internet traffic even with Safari and Mail shutdown.
  I've never used SurplusMeter, but if it's like any of the other bandwidth monitoring tools I've seen it's not watching your internet traffic, it's watching your ethernet traffic.
  There is an important difference. Even if the only device on your network is your Mac and your router there will always been some background noise.
  Amongst other things, ethernet uses ARP - Address Resolution Protocol - to map IP addresses to physical devices on the network. It does this by sending out an ARP request for any device the machine needs to talk to. For example, if your Mac has the IP address 192.168.1.2 and a default router address of 192.168.1.1 then it will send out an ARP request 'hey! where is 192.168.1.1', to which the router will reply "hey! I'm over here'. That's two packets of data, even if there is no other activity or device on the network.
  IIRC, ARP replies are cached for 5 minutes after which the OS sends out another ARP reply to update its ARP table, which ties in exactly with the interval you're seeing.
  I'd further guess that 0.1MB is the smallest unit of measurement that SurplusMeter reports, so even the 28-byte ARP request and play packets get reported as 0.1MB
  Furthermore, by definition, ARP is limited to the local network and never transmits over your ISP link, so it's not going to count towards any bandwidth usage limits.
  So this isn't likely to be anything to worry about. You can confirm this with any of the ethernet sniffers, or even just a simple tcpdump in Terminal.app

• NEXUS span session getting twice the data to the span port

  I'm setting up a montitor session on a NEXUS 7K as below.
  we are receiving in 150M of data and 0 data going out port 9/25.
  but port 4/24 shows 300M to the span port?
  Am I doing something wrong here or is that normal?
  monitor session 10
       no shutdown
       source int e 9/25  both
       destination int e 4/24

  i just confirmed that when I span  port on NEXUS 7K ios version 6.1(1) the RX data is duplicated to teh span port.
  does anyone know of bugs related to that ?

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• MARS - "Sudden increase of traffic to a port" rule

  Hello. I duplicated the system rule "Sudden increase of traffic to a port" in MARS and it blew out the original system rule and now shows up as a user rule. It doesn't appear to be working either. It is active. Not sure what to make of this, and neither is TAC. Anybody every mess up a system rule like this? Anyway to recover it? Thanks!

  I upgraded to 4.2.2 and the rule seems to have been restored as a system rule. I noticed that it is showing up in our morning report (Event Types Ranked by Sessions), but we are not recieving an email or page for this rule firing (email/SMS notification works for all other rules). I ran a query for this event for the time period of the report it showed up on and no results were returned. Any thoughts would be appreciated. Thanks.
  Christine

• Why does Port Scan show an open bacula port?

  The last couple of times I've run a port scan it shows an open port for bacula's file daemon.  However, I have never had this program on my Macbook and don't back it up over a network (which is what I believe bacula does).  Why would this be showing as an open port?  How can I close it if I can't select it as an application?  A complete search of my machine shows nothing even matching the name bacula except the webpages I've looked up about it.  Any help would be appreciated.  Thanks.

  "does not mean it is what is supposed to be listening on that port" - For example, a web server normally runs on port 80 (for http) or port 443 (for https).  But you can configure it to run on port 22 for example, where an ssh server normally lives.
  I mention this in case it is not bacula-fd running on port 9102. It's likely, but if you can't find bacula-fd installed, then perhaps it is something else.
  To see if it is bacula-fd running, please paste the output of this command.  Rather than answer your questions, let's first find out what is / is not running.
  $ ps auwx | grep bacula
  root              73   0.0  0.0  2513380   3032   ??  Ss   25Feb12   2:28.96 /opt/local/sbin/bacula-fd -c /opt/local/etc/bacula/bacula-fd.conf
  root              53   0.0  0.0  2508332   1352   ??  Ss   25Feb12   0:00.34 /opt/local/bin/daemondo --label=bacula --start-cmd /opt/local/etc/LaunchDaemons/org.macports.bacula/bacula.wrapper start ; --stop-cmd /opt/local/etc/LaunchDaemons/org.macports.bacula/bacula.wrapper stop ; --restart-cmd /opt/local/etc/LaunchDaemons/org.macports.bacula/bacula.wrapper restart ; --pid=none
  dan             8439   0.0  0.0  2434892    572 s000  S+    8:29AM   0:00.01 grep bacula
  Message was edited by: Dan Langille

• Nexus 9k span port

  Can someone provide instructions of how to configure a span port/monitor session on a 9k?

  Hi Joris,
  SPAN source functionality on satellite ports and host interface port channels is not supported when the FEX is connected to F2 Series modules. Beginning with Cisco NX-OS Release 6.2(2), FEX ports are supported as an egress SPAN source on F2e Series modules.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_14span.html#wp1239670
  Nexus7k# show module
  Mod  Ports  Module-Type                         Model              Status
  1    0      Supervisor module                 N7K-SUP2           active *
  3    48     1/10 Gbps Ethernet Module           N7K-F248XP-25      ok
  Mod  Sw              Hw
  1    6.x(x)          1.0
  3    6.x(x)          1.1
  Mod  MAC-Address(es)                         Serial-Num
  1    84-xx-xxx to 84-xx-xxxx  JAxxxxxxxx
  3    00-xxx to 00-xxxxx JAxxxxxxx
  Mod  Online Diag Status
  1    Pass
  3    Pass
  * this terminal session
  Regards
  Jens

• Applying span port for sniffer

  Hi,
  We want to sniff some traffic that is passing between two nodes in our network.
  The flow will look like this;
  Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
  Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
  Controller A side belongs to us, hence we can only put sniffing on our end.
  Please help to understand how to setup span port on a laptop in this setup.
  If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
  Appreciate all inputs.

  That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
  HTH
  Luke

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Span port and Unicast packets

  There is a problem with a PIX sending syslogs to a device that is plugged into the same switch as the PIX. From any other switch, in the span port the packets are seen going from the pix's ip port (514) to the device's ip port (514). Why do I see unicast packets propagating through all the switches when both devices are in the same switch? Do I need to hard code the MAC's into the switch? The problem doesn't occur all the time.

  When a switch receives a unicast packet with a destination address that it has not learned, the default is to flood it to all ports. You can disable flooding in this case on a per-port basis.So, I think in your switches, the default setting of flooding is enabled, VLANs are configured, and also VTP(trunking) is enabled so that even though the source and destination are on same switch, because of same VLANs, trunking and flooding enabled,the packet propagates through all switches.

• Span port 6500 12.1-(20)E MSFC2 inpkts

  From my research, it looks as if the CatOS had an inpkts keyword with spanning ports that allowed the SPAN port to receive normal incoming traffic. Is there an option like that in the IOS/MSFC2 configuration? Thanks.

  That feature is not supported in Native IOS code for Cat6000:
  Features Not Supported
  •Ability to accept ingress traffic on SPAN destination ports (CatOS equivalent - set span ... inpkts enable)
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/ol_2310.htm

• Span port recording

  Hi All, A real idiot question but we have to use span port recording as we are using citrix (unless anyone knows different) but I just can't get my head around the span part at the UCCX end. Span on all the access switches is fine but the server is only using 1 NIC for all the existing traffic, now, can I just enable span from the agents ip phone vlan to the SAME port as what the server is currently connected to OR do I need to connect the 2nd NIC to the switch and configure the span to that port? Will I need to configure a seperate IP address in the server for that 2nd NIC - I guess not.
  Many Thanks

  This is what I did recently for a customer: They have UCCX 8.5 running on ESXi on UCS C10 server. That server has two NICs but by default all the VMs were on one NIC. So I used the second NIC and I put the UCCX VM on that second NIC. Callmanager and Unity Connection VMs remained on the 1st NIC.
  Then I used a Catalyst 2960 to span the ingress of the voice vlan to the destination port that was connected to that second NIC. You have to enable ingress forwarding for that to work so that regular traffic can pass still pass through.
  Now, I did all this because 8.5 doesn't support using a second NIC. 7.x does, I believe. So you may be able to put the voice monitoring service on that NIC. I don't think it would need its own IP address if it's just in promiscuous mode trying to listen for voice traffic.
  Thanks,
  Mark

• Spanned port for IDS

  We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

  Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
  "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
  Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
  It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

• [MSI Z97 Xpower AC] Confusion about odd/even Sata port number sides

  So newb here, performing his first computer build.
  Problem is that I don't see any numbers on my motherboard's sata ports.
  My manual is a little confusing, as the diagram and video shows the odd/even numbers on different sides.
  Due to the large number of drives & cable management concerns...I'd like to know the exact SATA port numbers before connecting & running computer.
  Can anyone tell me what side the odd/even Sata ports are located on?
  Are the odd numbers located on the motherboard side (while even are on case side)?
  Or, are the even numbers located on the motherboard side (while odd are on case side)?

  Thanks HenryW! 

• Import of photos is not working. Moreover 'photos' app is not getting closed, it says 'closing all libraries'. Even it is stopping shutdown/restart of my mac.

  Import of photos is not working. Moreover 'photos' app is not getting closed, it says 'closing all libraries'. Even it is stopping shutdown/restart of my mac.

  Next time you open the photos application hold down both of the keys suggested and then launch the application in the usual way. If you do this you will be presented with the opportunity to repair your library.