Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HP Procurve 2650 and wireshark

Status
Not open for further replies.

DanielUK

IS-IT--Management
Jul 22, 2003
343
0
0
GB
Hi,

I'm not sure if I've understood port monitoring with my 2650 but if I want to monitor outgoing traffic via our Netgear router connected to the switch and:

[ul]
[li]the Netgear router is on port 45[/li]
[li]my PC running wireshark is on port 8[/li]
[/ul]

Then I thought I could make port 8 the "monitoring port" and make port 45 the monitored port. If I do this though I don't see all traffic going through the router. Am I missing something? I'm basically trying to mmonitor all outbound traffic that goes through the router.
 
Do a "show monitor" on the switch. What do you see?

Do you have the "Promiscuous mode" box ticked in Wireshark?
 
Thanks for the response, this is using the CLI, right? I've just been using the web interface so far. I'll see about luiniking it up to a PC so I can telnet in, run the command and report back. And yes, wireshark is in promiscuous mode.
 
Hi, connected via telent and got:

ProCurve Switch 2650# show monitor

Network Monitoring Port

Mirror Port: 8

Monitoring sources
------------------
45

However I don't seem to see any internet bound traffic coming from that port, the ip address that is "busy" is my own. Am I missing something in the way that this is supposed to work?
 
OK, so I'm trying to spread the net a bit further so I'm including extra monitoring sources to be mirrored to port 8 (the prt with my PC on running wireshark in promiscuous mode). So far I have the ports monitored for:

The Netgear router (default gateway)
The SBS Server which is also the nameserver
two PCs

So I should be seeing the traffic to and from all these ports, right? If I get one of the PCs to visit a particular website and filter by ip address that the domain resolves to in Wireshark e.g. ip.addr == x.x.x.x I don't get anything. It will however, pick up my own traffic from my machine if I then visit the website and apply this filter.
 
Your machine running wireshark has to be patched to the mirror port.
If your PC is visiting websites, then it isn't on a mirror port.
 
Thanks Vince, I'm not sure I understand so I'll need to clarify.

I've checked the physical cabling and the office LAN socket that my PC is wired into ends up at Port 8 on the switch which is the mirror port. Are you saying it has to be DIRECTLY wired straight to that port and not via the network socket in the office which is wired back to the patch panel which in turn is wired into the switch on that port?

Thanks

Dan
 
No, I'm not saying that.
When you said your PC was visiting websites, I momentarily misunderstood that you meant the PC you were running Wireshark on. I see that's not the case. I have no idea why you can't see the traffic that's being mirrored.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top