Creating a SPAN Port on a 2960

Creating a mirroring port also called a SPAN port (Switched Port Analyzer) might be required for some network appliances to analyze network traffic. Since we have switches which run in separate collision domains per port we have to do some configuration on the switch first before we can analyze traffic. (Think back to Collision domains vs. Broadcast domains)

In this example I have a 24-port Cisco Catalyst 2960 switch with no configuration on it. I have two PCs that are connected to this switch, One PC (PC2) will be my destination of copied frames while the other PC (PC1) will be the source of those frames. PC2 will have Wireshark installed and be capturing the output, while PC1 will browsing the web and checking for windows updates. If all goes correct I should be able to see traffic that PC1 is sending and receiving from PC2.

To get started I am in global configuration mode and I will be using the “monitor session” command. The following command below tells the switch to copy frames on port FastEthernet0/5 which is where PC1 is physically connected.

Switch(config)#monitor session 1 source interface Fa0/5

I have to issue one more command which tells the switch where to send those copied frames and in this example I sending them to FastEthernet0/6 which is where PC2 is physically connected.

Switch(config)monitor session 1 destination interface Fa0/6

You can verify your SPAN port by issuing the show monitor session command.

Switch#show monitor session 1
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Fa0/5
Destination Ports      : Fa0/6
    Encapsulation      : Native
          Ingress      : Disabled

Switch#

After that is complete I have ran a wireshark capture on PC2 and you can check out the results here on cloud shark I only ran the capture for 78 seconds and had a total of 4551 packets!

http://www.cloudshark.org/captures/8f1cd7661a1f

That’s it! You can also watch more than one network port to capture network traffic if you want, as well using it on port-channels but the 2960 I have does not support that feature 🙂 Like always I hope this information is helpful and Happy New Year!

Cisco Documentation:
Catalyst Switched Port Analyzer (SPAN) Configuration Example

Advertisements