0

I would like to debug an application that send ethernet packets from one embedded device to another.

In the lab setup, these devices are connected through Cisco Catalyst 2960-S switch.

For debugging purpose, I would like to see all the traffic with a Wireshark.

Is it possible to connect a PC, that is running Wireshark, into one of the ports of the switch and monitor the traffic between the devices? What configuration changes will be required?

Improve this question

1 Answer 1

Reset to default
1

Cisco calls this feature SPAN (Switched Port ANalyzer). Other manufacturers call it port monitoring or port mirroring. Instructions for the 2960 can currently be found here. If that link ever goes away the relevant search terms are "2960 span" and "2960 monitor session".

Improve this answer
3
  • Please tell me if I understand correctly, after configuring a port to be SPAN port, I can connect a PC with wireshark, and the PC will receive the traffic of the other ports? What about the communication between the PC and the switch (eg ARP, various Windows protocols etc that are automatically sent on each PC port) Will this traffic interfere with how SPAN works?
    – Artium
    Commented Dec 17, 2016 at 10:00
  • That's correct. SPAN / port mirroring copies traffic to or from one or source ports to a destination port. According to the documentation the 2960 will ignore traffic from your PC while its port is in monitor mode. (This isn't universally true for all switches). In the past I've used a separate dedicated NIC for monitoring.
    – Gerald Combs
    Commented Dec 17, 2016 at 17:53
  • Also note that the next step up from SPAN / mirror ports are dedicated hardware taps. The difference in packet loss and timestamping is such that some people have strong opinions about the two technologies.
    – Gerald Combs
    Commented Dec 17, 2016 at 20:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .