#Backtrack wireshark monitor mode mac#
So say we want to catch incoming MPLS stack of, but we don't care about MAC addresses, we could do this: Show platform capture elam trigger dbus others if data = DATA1 DATA2 DATAn ĭata starts from DMAC. The arbitrary trigger is bit awkward but can be lifesafer, you'll use it like this: IF what you want to check isn't available you can do data + mask match for arbitrary data on the first 64B. show plat cap elam trigger dbus ipv4 if ip_sa=192.0.2.1įor the triggers there is online help, IP_SA = IP Source Address, IP_DA = IP Destination Address, lot of others are available.show plat cap elam asic superman slot DFC/PFC_SLOT_YOU_WANT_TO_LOOK.You need to have 'service internal' enabled, but it's quite safe feature to run, I've ran it good deal in production networks and not yet once experienced negative impact.Įssentially what ELAM does is it shows you what was send for lookup processing to PFC via DBUS (Data BUS) and what did the PFC give as lookup result in RBUS (Result BUS). The number of source sessions can be limited, for example the 3560 supports a maximum of 2.Īfter the capturing, don't forget to remove this session configuration. Once you configured source and destination port, you can capture the traffic using your laptop connected to the destination port, for example with Wireshark. For such finer details and for further restrictions and default settings have a look at the command reference of the IOS version of your switch. The Ingress: Disabled line means that the switch will not accept any frames presented to it by your capture device on a destination port. Furthermore, you can specify a direction ( tx, rx, both), filter VLANs and more. You can see an encapsulation here - optionally you can set it to replicate for replicating the source interface encapsulation method, such as by adding encapsulation replicate after the source interface.
You may have a look at your defined session - here multiple ports, tried like above: #show monitor session 1 You may want to exit configiration mode and save the config. Again, you can specify multiple ports like above. Similarly to above, a destination port cannot be a source port: a port used here can either be a source or a destination port, and only of one session. You can use a normal port, but not a VLAN. Mixing ports and VLANs is not possible in the same session, another restriction is that you cannot use a destination port as a source port.ĭefine the destination port: monitor session 1 destination interface gi 0/1 Also by repeating the command you can add ports, or remove using no.
Also, interface ranges such as fa 0/25 - 26 are possible, and interface list, such as fa 0/24,fa 0/26, if you would like to monitor several clients at the same time. Here, the session number can be from 1 to 66, you could also specify a VLAN or an ethernet channel. This means that this mirror port will receive copies of all packets on the corresponding original port, while the original traffic won't be affected.ĭefine the source and set the session number: monitor session 1 source interface fa 0/24 A third switchport can be configured as a mirror port. The client switchport or the server switchport can be monitored.
0 kommentar(er)
