Wireshark mailing list archives
Re: Can Wireshark differentiate between multiple Cisco SPAN sources?
From: Stuart Kendrick <skendric () fhcrc org>
Date: Thu, 05 Sep 2013 12:16:30 -0700
Hi Marty, I don't see a way to do this.I suppose if the four ports belonged to four different VLANs, and you found a way to preserve VLAN tags across the SPAN function, then you could split the four streams apart using Wireshark.
If the SPAN function inserted some sort of tag into each frame as it went past, a tag which identified the source port, then Wireshark would have something to chew on. But the SPAN function doesn't do this -- it doesn't modify traffic as it performs is 'xeroxing' function.
So, all those frames will reach the SPAN function without any source identifier ... the Nexus will transmit them out the SPAN port ... they will arrive at Wireshark ... and Wireshark thus will have no way to distinguish which frame came from where.
With these resources, I don't see a way to solve this problem. Best, --sk Stuart Kendrick FHCRC On 9/5/2013 10:48 AM, Marty.Gramlick () uchospitals edu wrote:
I'm running a SPAN on a Cisco Nexus FEX 2248. The 4 ports I want to look at are on the same VLAN and the same FEX switch. Due to limitations with the Cisco hardware, they must all be part of the same monitor session. In other words I was hoping to SPAN each one individually, but in order to look at all of them they need to be in the same monitor session therefore they are going to 1 NIC on the Wireshark server. Is there anything embedded or anyway for Wireshark to resplit the traffic back into 4 separate traffic streams? Thanks, MARTY GRAMLICK Senior Network Engineer, Specialist The University of Chicago Medicine ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Can Wireshark differentiate between multiple Cisco SPAN sources? Marty.Gramlick (Sep 05)
- Re: Can Wireshark differentiate between multiple Cisco SPAN sources? Stuart Kendrick (Sep 05)
- <Possible follow-ups>
- Re: Can Wireshark differentiate between multiple Cisco SPAN sources? Dana J. Dawson (Sep 09)