Does the no monitor command to remove sessions a must? I am going to a client to set up a new session but I don’t want to mess with his current sessions
if you configured port mirroring properly, you should be seeing unicast traffic in wireshark. If you don't configure port mirroring and just capture traffic from wireshark, you will only see broadcast traffic and any traffic destined to your device.
If you plug an Analyzer into a switch port you will only capture broadcast and multicast traffic as well as traffic to your specific device, you will not be able to capture packets to or from any other device attached to the switch. Port mirroring / port monitoring allows you to configure a port on a Cisco switch to send copies of packet traffic to an Analyzer - like Wireshark so that you can view the directed traffic through the switch.
Hi Mike, thanks for your explanation, I have a Cisco 3560X switch that I need to monitor all the traffic that goes through all its ports, how can I activate the mirroring of all ports and then connect a device that analyzes it? Thank you.
The simplest way is if all ports are in a single VLAN, then set the "Source" as the VLAN and send to the appropriate destination port. See the link to the cisco site for a more in depth explanation. www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html
Depends on the model of the switch, some you can choose port ranges, vlans, multiple ports. I would verify based on your model of switch as to its capabilities.
The source port is what traffic you want to capture; usually the switch port that a server or internet router is connected to. The destination port is the switch port that your analyzer is connected to. This way the switch will copy the traffic from the "source" port that you designate and send it to the "destination" port so that Wireshark or any other analyzer / IDS can "sniff" the traffic.
No, the source port could be a trunk port if you want to analyze all of the traffic on the trunk port. The destination port will be the port that you have your analyzer attached to .
@@mikemotta4511 im asking because i have a server 9300 switch that has an uplink to a core switch. so im gonna make my dest port a normal access port monitor session 1 sou int (uplink) monitor sess 1 dest int (my port) enc replicate is that correct?
Does the no monitor command to remove sessions a must? I am going to a client to set up a new session but I don’t want to mess with his current sessions
No, it is only if you want to take down the monitor session after you are done.
Hii sir, can you show the result after port mirroring is configured. like in wireshark
if you configured port mirroring properly, you should be seeing unicast traffic in wireshark. If you don't configure port mirroring and just capture traffic from wireshark, you will only see broadcast traffic and any traffic destined to your device.
what does this do? what is the reason why you are doing this?
If you plug an Analyzer into a switch port you will only capture broadcast and multicast traffic as well as traffic to your specific device, you will not be able to capture packets to or from any other device attached to the switch. Port mirroring / port monitoring allows you to configure a port on a Cisco switch to send copies of packet traffic to an Analyzer - like Wireshark so that you can view the directed traffic through the switch.
Hi Mike, thanks for your explanation, I have a Cisco 3560X switch that I need to monitor all the traffic that goes through all its ports, how can I activate the mirroring of all ports and then connect a device that analyzes it?
Thank you.
The simplest way is if all ports are in a single VLAN, then set the "Source" as the VLAN and send to the appropriate destination port. See the link to the cisco site for a more in depth explanation. www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html
Thanks Mike, good stuff. Is it possible to enter a range as the source? like int ra g1/0/1-5
Depends on the model of the switch, some you can choose port ranges, vlans, multiple ports. I would verify based on your model of switch as to its capabilities.
Just want to ask, source port from where? and destination port to where?
The source port is what traffic you want to capture; usually the switch port that a server or internet router is connected to. The destination port is the switch port that your analyzer is connected to. This way the switch will copy the traffic from the "source" port that you designate and send it to the "destination" port so that Wireshark or any other analyzer / IDS can "sniff" the traffic.
Mike, Port Mirroring is possible between two different subnets ?
port mirroring is at Layer 2 - so you can choose multiple ports or VLAN's from the switch.
Thanks Mike
are both ports turnk ports?
No, the source port could be a trunk port if you want to analyze all of the traffic on the trunk port. The destination port will be the port that you have your analyzer attached to .
@@mikemotta4511 im asking because i have a server 9300 switch that has an uplink to a core switch. so im gonna make my dest port a normal access port
monitor session 1 sou int (uplink)
monitor sess 1 dest int (my port) enc replicate
is that correct?
Yes that should work
thanks mike
Use TAB 👍
Span (Switch Port Analyzer)
dude learn how to how to : mo ses 1 so int gi 0/3
What a waste of 5 minutes.
Thank you daddy