The ability to monitor your network traffic is critical for all network administrators and managers. This means getting down to the packet level. It is important to accomplish this without interrupting vital traffic - especially on a live network.
Many people call this port mirroring - meaning we create a copy or mirror of all the traffic from one port of a switch onto another port that is actually connected to a computer or server that can perform a packet capture.
To get down to the packet level, you have to use a protocol analyzer that will dissect the packets and conversations that occur on the network. Most users are familiar with packet sniffer tools like Wireshark (Ethereal), that decode, monitor, and understand their network traffic.
To accomplish the packet capture, you must connect your computer to a switch and view all data going across that switch or across the network. Some newer switches actually can perform the capture for you. We will leave that for another How To.
If you're using a hub, it is easy, just plug into an available port and since Hubs are repeaters, you are done! However, most of us don't use hubs anymore due to the lower port speeds and security issues associated with them; instead, we use the Ethernet network switches. Trying to monitor all network traffic with a switch may not work.
When using a protocol analyzer such as Wireshark, you typically want to see as much network traffic as you can get your hands on. From there, you can filter it to exactly what you want. However, if you try to run a protocol analyzer on a computer connected to a switch, all you'll see is traffic to and from your computer, as well as broadcasts on your network. The reason for this is that each port on a switch is a private network segment. This is the opposite from a hub. A hub really works as a multi-port repeater, sending out any traffic that comes into one port to all other ports. In the process, all devices on the hub share the same bandwidth.
With a switch, each port has its own private bandwidth - it doesn't have to share it with the other ports/devices. The switch keeps a table of all ports and all Ethernet MAC addresses on those ports. You can use the CAM table or a MAC Address table, using the "show mac-address-table" command on a Cisco Catalyst switch. This means that the switch will send you network traffic destined for your workstation only. Unlike a router, it will also send you broadcast traffic meant for all devices on the LAN.
To copy all traffic on a switch to your network protocol analyzer to see all the traffic, you need a Cisco switch feature called Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN). Other vendors call this feature port mirroring.
Here's how SPAN works: It takes all traffic from a single switch port, multiple switch ports, or an entire VLAN, and it copies that traffic to the destination port. In addition to specifying the source and destination ports, you can also indicate whether you want all sent traffic, received traffic, or both sent and received traffic to go to the destination port.
RSPAN enables you to send traffic sourced from multiple switches across the network to your destination port. For example, let's say VLAN 20 spreads across five switches in multiple areas on the LAN. With RSPAN, you can determine that all traffic destined for VLAN 20 - from any of these five switches-goes to your destination switch port. Once there, the network protocol analyzer can examine the traffic.
Configuring SPAN is pretty simple. Keep in mind that there are a number of "rules" for source and destination ports. You also need to understand how SPAN works with other protocols, such as STP, VTP, and CDP. I recommend reading the Cisco IOS documentation listed below before you begin.
Here's an example for configuring SPAN. Let's say we want to mirror all traffic going to and from the first 5 Ethernet ports on a 24-port switch. Then we want to send copies of all that traffic to port 24 for protocol analysis. Here's what we would do:
CellSwitch(config)# monitor session 1 source interface FastEthernet 0/1 - 5 both
CellSwitch(config)# monitor session 1 destination interface FastEthernet 0/24
Keep in mind that port mirroring a lot of traffic can be very performance intensive to the switch. Make sure you disable all monitoring when you're finished. Here's an example:
CellSwitch(config)# no monitor session 1
You can use the show monitor command to check the status of monitoring. Here's an example:
CellSwitch# show monitor
Just about everyone uses switching today. That's why it's important that you know how to perform port mirroring by enabling SPAN on Cisco switches so you can monitor traffic.
If you want to see how to do this and set up Wireshark to do Ring Buffers - see my article here.
We hope this helps you with setting up Cisco switches for port mirroring and packet analysis.