How to Configure a Cisco Switch for Network Sniffing

Posted by Carson       Trackback

Sometimes it’s necessary to analyze (sniff) packets flowing thru a network for reasons such as congestion or virus outbreaks.  I can remember two specific occasions where I had to sniff:

1. A user had fired up a p2p tool and was downloading some music files

2. A user had set an OpenGL screensaver on a Citrix terminal running over a MPLS wan link

In both cases, I used a tool called  Wirehark (aka Ethereal) to sniff packets running across the local network which helped me to track down the source of these issues.  However, since most networks these days are switched, simply firing up wireshark isn’t enough.  The nature of a switched network means that it’s impossible to capture all packets without some special switch configuration, hence the need for port mirroring.  Essentially, you tell the Cisco switch to mirror all data across a physical port or range of  ports to a destination port.  This destination port is special and does not act like a regular port so it is important to document this change.  Here’s how it’s done*…

To mirror ports 1-47 to port 48 (assumes you are already on the switch as a privileged user):

conf t
no monitor session (clears out any already there)
monitor session 1 source int fa0/1-47
monitor session 1 destination int fa0/48

This configuration will mirror ALL data in/out of ports 1-47 over to port 48.  It would be best to do this config on a core switch so that all switches cascaded off the main switch will also be monitored.  Crack your laptop into port 48 and launch Wireshark and watch the packets fly!

Once I’ve captured a good chunk of data, I’ll use the conversations feature of wireshark to check out the chattiest machines on the network.  Usually with this method I can pinpoint the cause of network congestion and other abnormalities.

*Certain versions of Cisco IOS require different commands, but I have had pretty good luck with the above settings

1 Comment

Make A Comment

Comments RSS Feed   

Leave a comment