Use the following commands to set up a monitor session, so that you can capture packets crossing a physical switch interface. The idea is to reconfigure the switch so that a copy of activity on a live port is sent to the maintenance port. The configuration commands are the following:
- monitor session 1 source interface Fa1/1
- monitor session 1 destination interface Fa1/8 encapsulation replicate
If you enter these two lines, you set up a monitoring session, session 1. The first line specifies that the source is FastEthernet1/1, which is the port labeled 1X on the switch. The second line specifies that the destination port FastEthernet1/8, which is the port labeled 8X on the port. By convention, the last port is the maintenance port. Because port 1 is a ring port, all of the management frames are replicated, making the capture file very large. On the other hand, most packet capture programs have a way to filter out packets during the capture.monitor session 1 destination interface Fa1/8 encapsulation replicate
To leave the session, return to the configuration mode, enter no monitor
session 1 and save the configuration file if necessary. If you do not
save the configuration after creating the session, you can use the
reload
command to restart the switch and kill the session.
In many cases, it is more useful to monitor the forwarding port, indicated by a blinking LED, than the blocked port, indicated by a solid LED. To force the ports to change roles, disconnect and reconnect the wires. For example, disconnect both cables, then reconnect the cable to the port that is mirrored, then reconnect the cable to the port that is not mirrored. It is also possible to change the switch configuration so that the mirror port mirrors both ring ports. This gives a more complete picture of what is happening, but also means that there are more packets to try to understand.
To check your work after exiting configuration mode, enter the following IOS command: show monitor session all.