Ask Your Question
0

How to set up Wireshark to read SPAN destination traffic

asked 2018-10-10 15:42:04 +0000

Megaladon gravatar image

updated 2018-10-10 15:43:47 +0000

I am unable to get wireshark to read a SPAN destination port that it is connected.

I start with a pc connected by ethernet to a switchport that has been placed in VLAN 100 with with an SVI 100 in the same subnet. The port status is up/up. Pings work both ways.

I configure SPAN on the switch, and the port state changes to up/down. My understanding this is normal for the SPAN destination port to transition to up/down because it's in port mirroring mode. Pings on the VLAN continue to work.

I turn on wireshark and select the ethernet NIC for the PC.

I do some pings on the other VLAN 50 which includes the source port that I configured in SPAN. My understanding is in theory Wireshark should pick up the ICMP traffic, but i doesn't see it.

I also try pings on the VLAN 100 accross the destination port but this traffic is also not detected.

All I see in wireshark are some ARP messages.

First question is am I setting this up right in theory?

Second question is what is, if that is so, what it blocking wireshark from working?

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by » oldest newest most voted
0

answered 2018-10-11 08:53:04 +0000

Jasper gravatar image

There's a couple of reasons that could be causing this behavior. Assuming you setup the SPAN correctly (your PC would be on the "monitor" or "destination" port for the SPAN Session) you should be getting packets to the NIC of the PC. One reason that you don't see packets coming in in Wireshark could be that a locally installed software drops them at an early stage (because they're not really sent to your PCs MAC). We've seen VPN software or some local firewalls do that kind of thing - so if you have any of those installed, you might want to test without them. The other thing is that if you mirror your packets with VLAN tags as part of the frames some network cards drop the packets. In that case you could try to mirror the packets without VLAN tags to see if that works.

Byt the way, usually the PC on the destination port (your capture PC) should not be able to communicate with the network anymore.

edit flag offensive delete link more

Comments

I ran some tests based on your comments and results were as followed: 1. I confirmed that the capture PC loses connectivity within the vlan assigned to it once monitor session is configured.
2. Unfortunately I am unable to test the firewall due to privileges at this time, but will test that when possible.
3. I may need some clarification on what you mean by trying to remove vlan tags. These are access ports belonging to one vlan only, so I'm thinking they are not tagged by default since they are not trunks that would require 802.1q tagging to be enabled in order to sort out the vlan traffic. So I'm not thinking tags are an issue since it's access ports in my case.

Thanks for the help.

Megaladon gravatar imageMegaladon ( 2018-10-11 22:08:54 +0000 )edit

When you define a monitor session on Cisco devices you can often specify if the session should keep encapsulation layers intact (in your case 802.1q). Usually this is done by adding "encapsulation dot1q" at the end of the "monitor session" command. If you don't have the encapsulation the VLAN tag would be stripped instead. But I'm not sure how your 2960S does it, I am not familiar with that switch.

Keep in mind that when you declare a port a monitor port (meaning, the destination/capture device port) it is no longer an access port in the normal sense. It may transfer VLAN tags, or it may not, based on how the SPAN mechanism works in your switch. I had a Cisco 650x switch were we needed to declare a monitor port a trunk port first to get the VLAN tags (there was no "encapsulation dot1q" keyword ...(more)

Jasper gravatar imageJasper ( 2018-10-12 13:27:23 +0000 )edit

Ok, after additional testing I tried using different PCs as the monitoring PC. It turns out my configuration was correct, as one of the PC was able to wireshark the traffic and SPAN was working fine. I'd still like to determine why the other PC does not work. Both PCs use the same Kaspersky Endpoint Protection, so I do no think it is a firewall issue, as one PC can wireshark without issue. I tried playing around with the encapsulation dot1q option, but that did not have any effect. I've run out of theories to test. I'm happy SPAN worked on the older dell laptop, but the newer dell laptop seems unable to pick up my ping traffic. Any theories?

Megaladon gravatar imageMegaladon ( 2018-10-17 21:42:15 +0000 )edit
add a comment
0

answered 2018-10-10 23:52:20 +0000

thetechfirm gravatar image

i created a video a while ago covering this. take a peek and see if it helps Using Wireshark and Cisco Port Mirroring

edit flag offensive delete link more
add a comment
0

answered 2018-10-10 21:09:29 +0000

elliep gravatar image

When setting wireshark up on the interface is there traffic to that interface. I believe your setting everything up correctly. When I span a port on our switches I make sure I put the source port into a mirroring state and where I have the monitor I have it set to the destination on the mirroring state. Are you using cisco switches or another vendor?

edit flag offensive delete link more

Comments

I am using a Cisco Catalyst 2960S switch. There is traffic but just arp messages, no ICMP even if I ping accross both source and destination ports (svi to pc in each vlan respectively, which I presum travels through the port the vlans are associated with). So yes there is a traffic of some sort but not showing pings.

Megaladon gravatar imageMegaladon ( 2018-10-11 00:01:56 +0000 )edit

For the port on the switch that your trying to monitor did you set it up in a mirror setup with the source on it. So for example if gig 1/5 you want to monitor set it up as monitor session 3 source inter gig 1/5 then the computer that wireshark is on set it up as monitor session 3 destination inter gig (monitor computer).

elliep gravatar imageelliep ( 2018-10-11 10:18:39 +0000 )edit

yes I configured as follows: monitor session 1 source g1/0/1 monitor session 1 destination g1/0/3

To verify I used: show monitor

Megaladon gravatar imageMegaladon ( 2018-10-11 22:11:17 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-10-10 15:42:04 +0000

Seen: 13,297 times

Last updated: Oct 11 '18