This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing all the traffic on a Cisco 6509E (switch/router)

0

I have a CISCO 6509E switch/router and I would like to capture ALL the traffic that is passing through it. This is a very common switch/router. It is dedicated and acting like a load balancer to three Apache web servers. The traffic is not terribly heavy. I could mirror the three switch ports which feed off the 6509E and set up wireshark on each. Are there monitoring ports on the 6509E which would allow me plug in WireShark and see everything? I should probably be asking this question to CISCO. I guess my general question is, is there a way to set up WireShark to capture all of the Unicast, Multicast and Broadcast traffic for all ports on a switch or a router?

asked 17 Nov '13, 10:33

Zoberist's gravatar image

Zoberist
0778
accept rate: 0%


One Answer:

1

Sure, the 6500 series can do mirror/monitor/SPAN ports. If you configure all ports that have devices on them to be mirrored to a single output port and hook up a Wireshark PC to that port you could theoretically capture all the traffic. Theoretically, because the output port has a certain maximum bandwidth (1G or 10G maybe), and if the monitored ports send more than that to the output port it will not forward all of it to the Wireshark PC.

You should take a look at the "monitor session" command, like on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

answered 17 Nov '13, 11:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Outstanding, thank you very much especially for the URL. I am reading the document now.

(17 Nov '13, 17:20) Zoberist
1

Note that the page in question, and other pages discussing mirror/monitor/SPAN/etc. capabilities on various switches, can be found on the per-vendor pages under the SwitchReference page on the Wireshark Wiki.

(17 Nov '13, 18:21) Guy Harris ♦♦