Cisco: Packet sniffing

The official term of Cisco for Packet sniffing isĀ  SPAN ( Switched Port Analyzer ) also called sometimes port mirroring or port monitoring and it’s purpose is to select traffic from a source and send to a destination with a network analyzer tool. You can find out there terms like RSPAN, PSPAN, VSPAN, ESPAN, but this are at their basic functionality nothing more than SPAN with some enhanced features ( e.g. ESPAN – Enhanced SPAN ) or describing their primary functionality ( e.g. VSPAN – Vlan SPAN – used to monitor vlans ).

Now, depending on you Cisco platform some of this xSPAN can be supported or not. A list with them you can find here.
On the high-class products, like 6500, you can find another device called NAM ( Network Analysis Module ) which enhance SPAN by providing a web interface and a local embedded traffic analyzer. Maybe someday, if I have a spare device I will make a short tutorial about NAM module.

For the basic SPAN configuration purpose I will use a c3750 as this method is supported on many more devices ( e.g. 3550, 3560, 2950, 2900XL). One notice before we begin. On the port where you redirect your SPAN traffic and where you connect your device with traffic analyzer, you don’t need a Layer 3 address. So, just let that port with plain Layer 2 configuration.

Please see the tutorial below:

Published by

Calin

Calin is a network engineer, with more than 20 years of experience in designing, installing, troubleshooting, and maintaining large enterprise WAN and LAN networks.

Any opinion on this post? Please let me know:

This site uses Akismet to reduce spam. Learn how your comment data is processed.