You don't need "inpkts enable" to see the mirrored traffic. In Ethereal, when you go to the Capture menu and select the adapter, make sure you select "Capture packets in promiscuous mode." I think Ethereal defaults to that being off. Their buttons are so ugly, it's hard to tell which setting is on or off, in the version I'm using anyway. :-) (One reason to use EtherPeek, i.e. for its great user interface.) So play around with that.
On Ethernet I haven't had any major problems with Ethereal, actually. On wireless, to get Ethereal to capture at all I had to say capture not in promiscuous mode. I couldn't get it to capture promisuously. I think that's a limitation of my wireless NIC, though. Anyway, I bet your problem is somewhere in the promiscuity area. Perhaps you are just too moral! :-) Priscilla Richard Burdette wrote: > > Priscilla, > > Inline replies. > > ""Priscilla Oppenheimer"" wrote in > message > news:[EMAIL PROTECTED] > > Richard Burdette wrote: > > > > > > Sorry for the typo, bit of port dslyexia perhaps, the > analyzer > > > is in 2/3 and > > > one of the routers is in 1/2. I used the command correctly > on > > > the bridge > > > but I mis-typed in my post. As corrected it should have > read > > > "set span 1/2 > > > 2/3 both". > > > > Where's the other router? I don't think you would make the > following > > mistakes, but it's worth a check: > > > > 1) The two routers can't be both out the same port of the > switch, for > > example, plugged into another switch on port 1/2. The packets > wouldn't go > > through the switch doing SPAN in that case. (Sorry if that's > obvious!) > > > > 2) One of the routers can't be on the same port as the > analyzer. In > software > > release 4.2 and later, incoming traffic on the SPAN > destination port is > > disabled by default. You can enable it using the inpkts > enable keywords. > > > > Do you mean normal traffic for the port with the anaylzer or > span traffic as > well? What I mean is, you don't have to specify inpkts in > order to see the > mirrored packets do you? > > Router one is, or was, on port 2/1 and the other was on port > 1/2. The > analyzer I am using is the one you recommended called > Ethereal. I'm using > it with the beta WinPcap 3. > > When I telneted out to one of the routers from the port the > analyzer is in I > was able to record the TCP packets wonderfully. I tried span > on both ports > conatining the routers and in either case I was not able to > capture traffic. > > > Other thoughts: > > > > Did this analyzer ever work to capture anything other than > its own traffic > > and broadcast traffic? > > I don't think I can say yes or no. I will try some more > playing around with > span to see it I can capture something on the other port. > > > It needs to work in promiscuous mode to capture > > traffic not intended for its NIC. The NIC needs to support > promiscuous > mode > > too. Most do, but it could be disabled or the software could > be disabling > > it. What analyzer is it? I think Ethereal has a menu option > for this. > > > > To mirror what someone else said in a different thread: Is > there a > firewall > > on the analzyer machine that could be blocking traffic? > > I've been bit by this one so many times as well, but no, > ZoneAlarm was > disabled at the time. I can't remember how many times I sat > here scrathing > my head wondering why I could ping out but not to the desktop. > Than > suddendly, darn it, Zone Alaem once again!!! > > > > > Let us know! Thanks, > > > > Priscilla > > www.priscilla.com > > > > > > > > > > > > Rich > > > > > > ""Larry Letterman"" wrote in message > > > news:[EMAIL PROTECTED] > > > > you have the analyzer and the router in the same port ? > > > > 1/2 according to the below text ? > > > > > > > > set span source-port dest-port in/out/both > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > ----- Original Message ----- > > > > From: Richard Burdette > > > > To: [EMAIL PROTECTED] > > > > Sent: Saturday, March 01, 2003 6:48 PM > > > > Subject: Span Port on 5000 [7:64186] > > > > > > > > > > > > Ok, I'm trying to capture TCP, specifically Telnet > traffic > > > going between > > > > two > > > > routers on 2 ports of the bridge. I have a protocol > > > > analyzer on port 1/2 (I've tried other bridge ports as > > > well). The > > > routers > > > > come in on 1/2 and 2/3. > > > > > > > > To start I enter the command 'set span 2/3 1/2 both' on > the > > > 5000 bridge. > > > I > > > > do a 'show span' to check that the configuration took, > all > > > looks good. > > > > > > > > I fire up the analyzer on 1/2 and succesfully initiate > > > telnet from one > > > > router to the other. My problem is that I see no TCP > > > traffic at all, > > > > plenty > > > > of CDP, OSPF and STP traffic but no TCP. When I telnet > > > from my box to > > > the > > > > router I see plenty of the Telnet traffic. Why am I not > > > able to see the > > > > traffic via the span command? Thanks. > > > > > > > > Richard > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64274&t=64186 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
