Can you give me the command to sniff from say 10.70.1.2 port interface fa0/15 to 10.70.1.5 port interface fa0/14? I am using a Cisco 2950 switch.
- Anthony Cozzucoli
What you want will be done in two parts. The first is to set up what can either be called port mirroring or spanning, depending on the documentation you read. One way of doing this is monitor session 1 source interface fa0/15, monitor session 1 destination interface fa0/24.
What these two statements do is take all traffic coming into and out of fa0/15 and copy them to fa0/24 (or whatever port is specified on the monitor session 1 destination interface line). As with just about any Cisco IOS command, there are several variations.
By getting a little more granular, you can pick up the traffic coming into fa0/15 and leaving fa0/14. I would suggest starting with my first suggestion until you get a better feel for how the monitor command works. Depending on the version of IOS that your 2950 has, the commands I have discussed here may be a little different but should be fairly close.
The other part of what you want to do will be done with a protocol analyser such as Network General's Sniffer, WildPackets EtherPeek, or Ethereal (an open-source protocol analyser). You will want to put together a capture filter to see what traffic you're looking for during the capture or a display filter that allows you to get different "views" of the captured data until you get exactly what you're looking for.
To construct an easy filter, list any packet where 10.70.1.2 or 10.70.1.5 shows up as the source or destination IP addresses in any of the packets captured. Everything else should be ignored.
One feature I have found very useful in Ethereal is colour coding certain types of packets. This means that DNS-type packets are one colour, ARP packets are a different colour, etc. While this may sound like unnecessary work on the surface, the colourising of packets has helped me see a problem that I might have otherwise missed.
Find your next job with techworld jobs