Mirroring a port for packet capture - Metasys - LIT-12013055 - Gateway/Router - Cisco Switch - 12.0

Cisco IE 2000 and IE 4010 Ethernet Switches for Metasys Networks Installation Instructions and Troubleshooting Guide

Brand
Metasys
Product name
Cisco Switch
Document type
Troubleshooting Guide
Document number
LIT-12013055
Version
12.0
Revision date
2022-07-08
Language
English

Use the following commands to set up a monitor session, so that you can capture packets crossing a physical switch interface. The idea is to reconfigure the switch so that a copy of activity on a live port is sent to the maintenance port. The configuration commands are the following:

  • monitor session 1 source interface Fa1/1
  • monitor session 1 destination interface Fa1/8 encapsulation replicate

If you enter these two lines, you set up a monitoring session, session 1. The first line specifies that the source is FastEthernet1/1, which is the port labeled 1X on the switch. The second line specifies that the destination port FastEthernet1/8, which is the port labeled 8X on the port. By convention, the last port is the maintenance port. Because port 1 is a ring port, all of the management frames are replicated, making the capture file very large. On the other hand, most packet capture programs have a way to filter out packets during the capture.monitor session 1 destination interface Fa1/8 encapsulation replicate

Note: If you wish to ignore the MRP test frame messages, you can exclude encapsulation replicate from the CLI command line on the monitor session of an MRP port. Doing so significantly reduces the resultant capture file.

To leave the session, return to the configuration mode, enter no monitor session 1 and save the configuration file if necessary. If you do not save the configuration after creating the session, you can use the reload command to restart the switch and kill the session.

In many cases, it is more useful to monitor the forwarding port, indicated by a blinking LED, than the blocked port, indicated by a solid LED. To force the ports to change roles, disconnect and reconnect the wires. For example, disconnect both cables, then reconnect the cable to the port that is mirrored, then reconnect the cable to the port that is not mirrored. It is also possible to change the switch configuration so that the mirror port mirrors both ring ports. This gives a more complete picture of what is happening, but also means that there are more packets to try to understand.

To check your work after exiting configuration mode, enter the following IOS command: show monitor session all.