No traffic going through SPAN port

[john99999]

I configured a SPAN port, but no traffic going through the SPAN port.

I cant access the internet or ping other computers on the switch from the computer connected to my SPAN port.

All ports are on the same VLAN, and it appears I am SPANning correctly:
switch.urdomain.net>show monitor session 1
Session 1
---------
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1-23
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/24
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

The green light is on and flashes periodically on the SPAN port.

Why isnt any traffic going through the SPAN port?

 

[lambent]

I cant access the internet or ping other computers on the switch from the computer connected to my SPAN port."

This is normal.

 

[john99999]

Why is it normal? Its suppose to catch all traffic and I can monitor it with ethereal, no?

 

[lambent]

The destination span port will only mirror inbound and/or outbound traffics from source span ports. It can't be used as normal ports.

If you want to monitor your own PC in which the network analysis software has been installed (in other words you are not monitoring other switch ports), then you don't need to set SPAN.

Say you install Ethereal in your own PC and you want to capture Mary's PC traffic which is connected to another switch port, then you need to set SPAN where source SPAN port is Mary's port, destination SPAN port is your own port.

 

[Cluebird]

You can't access the Internet because when you define the port as SPAN, it now becomes a reflection of the source port and the circuitry changes so you no longer have a normal data port but just a receiver of what is on the monitored port.

When using SPAN think of it like becoming a voyeur. You want to see what others are doing but you don't want them to know you're there. If you "yell" (by sending data on a port you're monitoring) you can no longer hide. You don't want your users to know you're monitoring them (Big Brother is watching.)!

HTH

 

[john99999]

So to monitor the traffic you ahve to be ssh'ed into the switch itself?

 

[lambent]

I suggest you to use 2 PCs/Servers, one is dedicated for network analysis using softwares such as Sniffer Pro/Ethereal and connects to the destination SPAN port, the other one is dedicated for network monitoring using SNMP/RMON and connects to non-SPAN port.

 

[john99999]

So a computer with ethereal can pick up the SPAN port even though it cant ping in or out?

 

[vipergg]

Yes a span port is basically a traffic replication port that you configure to send traffic from different ports that you configure . This is called a monitor port . If you configure to monitor say port 2/15 -20 then all that information is ported to your monitor port and you can look at it with your analyzer .

 

[john99999]

How do i hook an analyzer up?

 

[Cluebird]

Plug the cable from the workstation into the monitor port and fire up the sniffer.