Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can Wireshark differentiate between multiple Cisco SPAN sources?

From: "Dana J. Dawson" <dana.dawson () centurylink com>
Date: Mon, 9 Sep 2013 14:07:10 -0500
One option might be to get the MAC forwarding table entries for the 4 ports in question and identify the unique MAC 
addresses out each of the 4 ports.  Multicast/broadcast traffic could still be problematic, but maybe that's not an 
issue.  If your topology is pretty stable then this list should also be pretty stable.  If there's just a single 
server/host per port this would probably work pretty well, but if there are lots of them this could get ugly fast, 
though you might be able to cobble together a script of some sort that would call tshark on your capture file for the 
different MAC addresses out each port and split the file that way.

HTH

Dana
---
Dana J. Dawson
Principal CPE Engineer, CCIE #1937 (R&S)
CenturyLink, CPE-CTAC


Hi Marty,

I don't see a way to do this.

I suppose if the four ports belonged to four different VLANs, and you 
found a way to preserve VLAN tags across the SPAN function, then you 
could split the four streams apart using Wireshark.

If the SPAN function inserted some sort of tag into each frame as it 
went past, a tag which identified the source port, then Wireshark would 
have something to chew on.  But the SPAN function doesn't do this -- it 
doesn't modify traffic as it performs is 'xeroxing' function.

So, all those frames will reach the SPAN function without any source 
identifier ... the Nexus will transmit them out the SPAN port ... they 
will arrive at Wireshark ... and Wireshark thus will have no way to 
distinguish which frame came from where.

With these resources, I don't see a way to solve this problem.

Best,

--sk

Stuart Kendrick
FHCRC

On 9/5/2013 10:48 AM, Marty.Gramlick () uchospitals edu wrote:

I'm running a SPAN on a Cisco Nexus FEX 2248.  The 4 ports I want to look at are on the same VLAN and the same FEX 
switch.  Due to limitations with the Cisco hardware, they must all be part of the same monitor session.  In other 
words I was hoping to SPAN each one individually, but in order to look at all of them they need to be in the same 
monitor session therefore they are going to 1 NIC on the Wireshark server.  Is there anything embedded or anyway for 
Wireshark to resplit the traffic back into 4 separate traffic streams?

Thanks,
MARTY GRAMLICK
Senior Network Engineer, Specialist
The University of Chicago Medicine
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: