Priscilla, Inline replies.
""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > Richard Burdette wrote: > > > > Sorry for the typo, bit of port dslyexia perhaps, the analyzer > > is in 2/3 and > > one of the routers is in 1/2. I used the command correctly on > > the bridge > > but I mis-typed in my post. As corrected it should have read > > "set span 1/2 > > 2/3 both". > > Where's the other router? I don't think you would make the following > mistakes, but it's worth a check: > > 1) The two routers can't be both out the same port of the switch, for > example, plugged into another switch on port 1/2. The packets wouldn't go > through the switch doing SPAN in that case. (Sorry if that's obvious!) > > 2) One of the routers can't be on the same port as the analyzer. In software > release 4.2 and later, incoming traffic on the SPAN destination port is > disabled by default. You can enable it using the inpkts enable keywords. > Do you mean normal traffic for the port with the anaylzer or span traffic as well? What I mean is, you don't have to specify inpkts in order to see the mirrored packets do you? Router one is, or was, on port 2/1 and the other was on port 1/2. The analyzer I am using is the one you recommended called Ethereal. I'm using it with the beta WinPcap 3. When I telneted out to one of the routers from the port the analyzer is in I was able to record the TCP packets wonderfully. I tried span on both ports conatining the routers and in either case I was not able to capture traffic. > Other thoughts: > > Did this analyzer ever work to capture anything other than its own traffic > and broadcast traffic? I don't think I can say yes or no. I will try some more playing around with span to see it I can capture something on the other port. > It needs to work in promiscuous mode to capture > traffic not intended for its NIC. The NIC needs to support promiscuous mode > too. Most do, but it could be disabled or the software could be disabling > it. What analyzer is it? I think Ethereal has a menu option for this. > > To mirror what someone else said in a different thread: Is there a firewall > on the analzyer machine that could be blocking traffic? I've been bit by this one so many times as well, but no, ZoneAlarm was disabled at the time. I can't remember how many times I sat here scrathing my head wondering why I could ping out but not to the desktop. Than suddendly, darn it, Zone Alaem once again!!! > > Let us know! Thanks, > > Priscilla > www.priscilla.com > > > > > > > Rich > > > > ""Larry Letterman"" wrote in message > > news:[EMAIL PROTECTED] > > > you have the analyzer and the router in the same port ? > > > 1/2 according to the below text ? > > > > > > set span source-port dest-port in/out/both > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > ----- Original Message ----- > > > From: Richard Burdette > > > To: [EMAIL PROTECTED] > > > Sent: Saturday, March 01, 2003 6:48 PM > > > Subject: Span Port on 5000 [7:64186] > > > > > > > > > Ok, I'm trying to capture TCP, specifically Telnet traffic > > going between > > > two > > > routers on 2 ports of the bridge. I have a protocol > > > analyzer on port 1/2 (I've tried other bridge ports as > > well). The > > routers > > > come in on 1/2 and 2/3. > > > > > > To start I enter the command 'set span 2/3 1/2 both' on the > > 5000 bridge. > > I > > > do a 'show span' to check that the configuration took, all > > looks good. > > > > > > I fire up the analyzer on 1/2 and succesfully initiate > > telnet from one > > > router to the other. My problem is that I see no TCP > > traffic at all, > > > plenty > > > of CDP, OSPF and STP traffic but no TCP. When I telnet > > from my box to > > the > > > router I see plenty of the Telnet traffic. Why am I not > > able to see the > > > traffic via the span command? Thanks. > > > > > > Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64219&t=64186 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
