Saturday, December 17, 2016

configure port mirror, span, on cisco switch

*** diagram

monitoring machine ------>f1/0 switch f1/1 ------------> client
                                             web server

- note switch model version
R1-SW(config)#do show version
Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(18), RELEASE SOFTWARE (fc1)

1- configure f1/0 as the destination port and f1/1 and f1/2 as source port with the following command

monitor session 1 source interface Fa1/1 - 2
monitor session 1 destination interface Fa1/0

if you want to remove other traffic source such as stp and cdp, to disable stp on vlan 1 and cdp issue the following command

no spanning-tree vlan 1
no cdp run

2- on monitoring machine we can use wireshark or tcpdump to capture those traffic,
$ sudo tcpdump -i eth0 -v

- below is the screen shot of traffic between client and web server, request/response of http traffic

