First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

not seeing all traffic on SPAN port on Cisco switch

  • retag add tags

I recently set up a span port on a Cisco network switch to get a capture of all the traffic. Unfortunately there is traffic on the network which isn’t being detected and recorded by wireshark.

As all the end devices on the switch are within the same network subnet, I set my laptop which had wireshark installed to an unused ip address within the same network range. Was this the correct thing to do on a span port?

I can’t think of any other reason why I’m not seeing all the traffic

StuJol's avatar
1
StuJol
asked 2023-08-01 18:47:43 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-08-01 22:03:33 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Copying packets to a span port is one of the low priority tasks in the switch. If there's a lot of traffic packets will be dropped on the span port, not on the switch ports.

If there's a lot of traffic on the monitored interfaces this may also overload the span port, resulting in packet drops. For instance monitoring both ingress and egress traffic on the switch fabric doubles the amount of traffic on the span port. So if possible, look into the performance data of the switch to see what happens on the span port.

Jaap's avatar
13.7k
Jaap
answered 2023-08-01 19:10:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer