Networking

Analyze traffic on switch ports with SPAN and RSPAN

While the ability to monitor your network traffic is critical, the process is different on a switch than on a router. In this edition of Cisco Routers and Switches, David Davis tells you how you can monitor traffic on your switch ports using SPAN and RSPAN.

The ability to monitor your network traffic is critical. If you really need to get down to the packet level, using a protocol analyzer is your best bet.

I've heard from a number of TechRepublic members who have questions about using a protocol analyzer (i.e., sniffer), such as Ethereal, to decode, monitor, and understand their network traffic. To do so, they want to connect their monitoring station to a switch and view all data going across that switch or across the network.

If you're using a hub, this works fine. However, most of us don't use hubs anymore; instead, we use switches. And trying to monitor all network traffic with a switch won't work.

When using a protocol analyzer such as Ethereal, you typically want to see as much network traffic as you can get your hands on. From there, you can filter it to exactly what you want. But if you try to run a protocol analyzer on a computer connected to a switch, all you'll see is traffic to and from your computer, as well as broadcasts on your network.

Why is this the case? Each port on a switch is a private network segment. This is much different from a hub. A hub really works as a multi-port repeater, sending out any traffic that comes into one port to all other ports. And in the process, all devices on the hub share the same bandwidth.

But with a switch, each port has its own private bandwidth—it doesn't have to share it with the other ports/devices. The switch keeps a table of all ports and all Ethernet MAC addresses on those ports.

Known as a CAM table or a MAC Address table, you can view this table by using the show mac-address-table command on a Cisco Catalyst switch. Listing A offers an example.

So that means that the switch will send you network traffic destined for your workstation. Unlike a router, it will also send you broadcast traffic meant for all devices on the LAN.

How do you copy all traffic on a switch to your network protocol analyzer? To get the job done and allow your network protocol analyzer to see all the traffic, you need a Cisco switch feature called Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN). Other vendors call this feature port mirroring.

Here's how SPAN works: It takes all traffic from a single switch port, multiple switch ports, or an entire VLAN, and it copies that traffic to the destination port. In addition to specifying the source and destination ports, you can also indicate whether you want all sent traffic, received traffic, or both sent and received traffic to go to the destination port.

RSPAN enables you to send traffic sourced from multiple switches across the network to your destination port. For example, let's say VLAN 20 spreads across five switches in multiple areas on the LAN. With RSPAN, you can determine that all traffic destined for VLAN 20—from any of these five switches—goes to your destination switch port. Once there, the network protocol analyzer can examine the traffic.

Configuring SPAN is pretty simple. Keep in mind that there are a number of "rules" for source and destination ports. You also need to understand how SPAN works with other protocols, such as STP, VTP, and CDP. I recommend reading the Cisco IOS documentation listed below before you begin.

Here's an example for configuring SPAN. Let's say we want to mirror all traffic going to and from the first 23 Ethernet ports on a 24-port switch. Then we want to send copies of all that traffic to port 24 for protocol analysis. Here's what we would do:

Switch(config)# monitor session 1 source interface FastEthernet 0/1 -
  23 both
Switch(config)# monitor session 1 destination interface FastEthernet0/24

Keep in mind that port mirroring a lot of traffic can be very performance intensive to the switch. Make sure you disable all monitoring when you're finished. Here's an example:

Switch(config)# no monitor session 1

You can use the show monitor command to check the status of monitoring. Here's an example:

Switch# show monitor

Just about everyone uses switching today. That's why it's important that you know how to perform port mirroring by enabling SPAN on Cisco switches so you can monitor traffic.

More resources

For more information on Ethereal, check out these TechRepublic articles:

For more information on configuring SPAN and RSPAN, check out Cisco's 2950/2955 Catalyst Switch documentation and "Configuring SPAN and RSPAN."

Have you used SPAN, RSPAN, or port mirroring? Share your experiences in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

9 comments
mlheiden
mlheiden

Do the enterasys and 3com support the RSPAN feature ?

icmp30
icmp30

If you span both input and output frames then everything is duplicated. Better to do mon ses 1 source int f0/1 - 23 rx and not confuse wireshark with all those duplicated frames.

IT cowgirl
IT cowgirl

I have used these methods and ethereal to sniff traffic and it works great! However, there are only two SPAN ports available per switch. This is pleanty for sniffing, but then security wants to have span ports for security devices. Better for security to purchase devices which physically scan the data rather than via SPAN ports.

EEnglish34
EEnglish34

This is a great article David! This information will be very helpful to some of the instructors at my job. Thanks.

PScottC
PScottC

Attach a hub to your Span port. Then connect as many devices as you need to listen to the traffic. PSC

Ernesto.Valenzuela
Ernesto.Valenzuela

I have recently done this on a 3550, the problem is that when you try to monitor so many ports you get our of order packets. Do you know of any way to get around that? Thank you.