Ask Your Question
0

not seeing all traffic on SPAN port on Cisco switch

asked 2023-08-01 18:47:43 +0000

StuJol gravatar image

updated 2023-08-01 22:03:33 +0000

Guy Harris gravatar image

I recently set up a span port on a Cisco network switch to get a capture of all the traffic. Unfortunately there is traffic on the network which isn’t being detected and recorded by wireshark.

As all the end devices on the switch are within the same network subnet, I set my laptop which had wireshark installed to an unused ip address within the same network range. Was this the correct thing to do on a span port?

I can’t think of any other reason why I’m not seeing all the traffic

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-08-01 19:10:49 +0000

Jaap gravatar image

Copying packets to a span port is one of the low priority tasks in the switch. If there's a lot of traffic packets will be dropped on the span port, not on the switch ports.

If there's a lot of traffic on the monitored interfaces this may also overload the span port, resulting in packet drops. For instance monitoring both ingress and egress traffic on the switch fabric doubles the amount of traffic on the span port. So if possible, look into the performance data of the switch to see what happens on the span port.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-08-01 18:47:43 +0000

Seen: 386 times

Last updated: Aug 01 '23