First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to set up Wireshark to read SPAN destination traffic

  • retag add tags

I am unable to get wireshark to read a SPAN destination port that it is connected.

I start with a pc connected by ethernet to a switchport that has been placed in VLAN 100 with with an SVI 100 in the same subnet. The port status is up/up. Pings work both ways.

I configure SPAN on the switch, and the port state changes to up/down. My understanding this is normal for the SPAN destination port to transition to up/down because it's in port mirroring mode. Pings on the VLAN continue to work.

I turn on wireshark and select the ethernet NIC for the PC.

I do some pings on the other VLAN 50 which includes the source port that I configured in SPAN. My understanding is in theory Wireshark should pick up the ICMP traffic, but i doesn't see it.

I also try pings on the VLAN 100 accross the destination port but this traffic is also not detected.

All I see in wireshark are some ARP messages.

First question is am I setting this up right in theory?

Second question is what is, if that is so, what it blocking wireshark from working?

Megaladon's avatar
1
Megaladon
asked 2018-10-10 15:42:04 +0000, updated 2018-10-10 15:43:47 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

When setting wireshark up on the interface is there traffic to that interface. I believe your setting everything up correctly. When I span a port on our switches I make sure I put the source port into a mirroring state and where I have the monitor I have it set to the destination on the mirroring state. Are you using cisco switches or another vendor?

elliep's avatar
1
elliep
answered 2018-10-10 21:09:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I am using a Cisco Catalyst 2960S switch. There is traffic but just arp messages, no ICMP even if I ping accross both source and destination ports (svi to pc in each vlan respectively, which I presum travels through the port the vlans are associated with). So yes there is a traffic of some sort but not showing pings.

Megaladon's avatar Megaladon (2018-10-11 00:01:56 +0000) edit
more
  • delete

For the port on the switch that your trying to monitor did you set it up in a mirror setup with the source on it. So for example if gig 1/5 you want to monitor set it up as monitor session 3 source inter gig 1/5 then the computer that wireshark is on set it up as monitor session 3 destination inter gig (monitor computer).

elliep's avatar elliep (2018-10-11 10:18:39 +0000) edit
more
  • delete

yes I configured as follows: monitor session 1 source g1/0/1 monitor session 1 destination g1/0/3

To verify I used: show monitor

Megaladon's avatar Megaladon (2018-10-11 22:11:17 +0000) edit
more
  • delete
add a comment see more comments
0

i created a video a while ago covering this. take a peek and see if it helps Using Wireshark and Cisco Port Mirroring

thetechfirm's avatar
96
thetechfirm
answered 2018-10-10 23:52:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

There's a couple of reasons that could be causing this behavior. Assuming you setup the SPAN correctly (your PC would be on the "monitor" or "destination" port for the SPAN Session) you should be getting packets to the NIC of the PC. One reason that you don't see packets coming in in Wireshark could be that a locally installed software drops them at an early stage (because they're not really sent to your PCs MAC). We've seen VPN software or some local firewalls do that kind of thing - so if you have any of those installed, you might want to test without them. The other thing is that if you mirror your packets with VLAN tags as part of the frames some network cards drop the packets. In that case you could try to mirror the packets without VLAN tags to see if that works.

Byt the way, usually the PC on the destination port (your capture PC) should not be able to communicate with the network anymore.

Jasper's avatar
24.1k
Jasper
answered 2018-10-11 08:53:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I ran some tests based on your comments and results were as followed: 1. I confirmed that the capture PC loses connectivity within the vlan assigned to it once monitor session is configured.
2. Unfortunately I am unable to test the firewall due to privileges at this time, but will test that when possible.
3. I may need some clarification on what you mean by trying to remove vlan tags. These are access ports belonging to one vlan only, so I'm thinking they are not tagged by default since they are not trunks that would require 802.1q tagging to be enabled in order to sort out the vlan traffic. So I'm not thinking tags are an issue since it's access ports in my case.

Thanks for the help.

Megaladon's avatar Megaladon (2018-10-11 22:08:54 +0000) edit
more
  • delete

When you define a monitor session on Cisco devices you can often specify if the session should keep encapsulation layers intact (in your case 802.1q). Usually this is done by adding "encapsulation dot1q" at the end of the "monitor session" command. If you don't have the encapsulation the VLAN tag would be stripped instead. But I'm not sure how your 2960S does it, I am not familiar with that switch.

Keep in mind that when you declare a port a monitor port (meaning, the destination/capture device port) it is no longer an access port in the normal sense. It may transfer VLAN tags, or it may not, based on how the SPAN mechanism works in your switch. I had a Cisco 650x switch were we needed to declare a monitor port a trunk port first to get the VLAN tags (there was no "encapsulation dot1q" keyword ... (more)

Jasper's avatar Jasper (2018-10-12 13:27:23 +0000) edit
more
  • delete

Ok, after additional testing I tried using different PCs as the monitoring PC. It turns out my configuration was correct, as one of the PC was able to wireshark the traffic and SPAN was working fine. I'd still like to determine why the other PC does not work. Both PCs use the same Kaspersky Endpoint Protection, so I do no think it is a firewall issue, as one PC can wireshark without issue. I tried playing around with the encapsulation dot1q option, but that did not have any effect. I've run out of theories to test. I'm happy SPAN worked on the older dell laptop, but the newer dell laptop seems unable to pick up my ping traffic. Any theories?

Megaladon's avatar Megaladon (2018-10-17 21:42:15 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer