If you have a bit of familiarity Cisco switches you may have configured a SPAN port or a monitor session in the past. A basic span port is very useful in capturing packets or passively monitoring and is a requirement for some web filtering services such as Websense. Today, I want to focus on the SPAN session from a packet capturing standpoint.
If we mirror a switch port that sees a high volume of traffic simply mirroring all of that traffic to our packet capturing port could be too much for our capture system to consume. Fortunately, there is a way to do this through access control lists on the switch itself. Before going further, it is worth mentioning I tested this on a 3750 series switch and results may vary on other units.
A simple monitoring session would look something like this in the configuration:
monitor session 1 source interface vlan 1 monitor session 1 destination interface Gi2/0/4
Or like this:
monitor session 2 source interface Gi 1/0/48 monitor session 2 destination interface Gi1/0/4
All traffic is copied from the source to the destination interface plain and simple.
To troubleshoot a complicated issue on a heavily used network link we will be well severed to limit the packets that get copied to the destination port. To do that first we have to define those packets in an ACL. Let’s say we are looking to capture HTTP traffic between 10.1.1.2 and 18.104.22.168. This access list will look something like this:
access-list 100 permit tcp host 10.1.1.2 gt 1024 host 22.214.171.124 eq 80 access-list 100 permit tcp host 126.96.36.199 eq 80 host 10.1.1.2 gt 1024
As you can see I am covering the bases needed to capture traffic in both directions. Since we really have no idea what port the traffic will be sourcing from I just included everything greater than 1024 to be sure nothing is missed.
To apply this ACL to our monitoring session we need only one more line:
monitor session 1 filter ip access-group 100
You can now fire up wireshark or the like on that destination port, capture without a capture filter, and receive only the traffic that meets the criteria of the access list.
The “monitor session filter” command will also take mac and ipv6 access lists as filtering options. In addition you can also filter by specific VLAN ID. This is useful if you would like to monitor a physical interface that is configured as a trunk. The downfall to the VLAN filtering option, however, is that additional access lists cannot be used in conjunction with it.