sniff traffic how

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
My boss wants to check the Layer 2 traffic and other stuff by connected a cable directly from our Netscout to the Charter Gateway LAN side to sniff. I said we could setup a vlan for sniffing and since our core has a trunk line to the DMZ switch in the room of the Charter gateway, we setup a vlan on the dmz switch that matches the vlan on the core and sniff that vlan stratight across the trunk lines. He says the Netscout willl pick up traffic aross all the vlan trunk? I said no it wont it will only sniff traffic in the vlan access port you set the Netscout too? Am I wrong. He said it will pick up unecessary traffic. i said how is that it is a vlan that we setup with no routing on it? just a vlan and it will just be a designated vlan pipe so to speak straight to the charter lan interface and all you get is Layers. He wants to hook directly to the LAN port via cable from the Netscout direct. What am i missing. what are the pros and cons guys from your experience. I mean I like his idea but thought a vlan would work fine?


  • Codeman6669Codeman6669 Member Posts: 227
    not quite sure i understand what exactly you want to accomplish, but why not just mirror a port? It depends on what you want to sniff, but you will get whatever the port you are mirroring's traffic.
  • joetestjoetest Member Posts: 99 ■■□□□□□□□□
    Codeman is correct.. use SPAN to mirror the port to see whats going on.
  • OctalDumpOctalDump Member Posts: 1,722
    It sounds like your boss might have been talking about VSPAN. It allows you to monitor traffic on one VLAN. You can also set the destination SPAN "port" to a VLAN.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    I guess what I am trying to say is the device he wants to sniff is in another IDF closet. he wants direct connect via patch panels to it. But there are vlan trunks going to the switch in between the IDFs so why not sniff a vlan? will sniffing a vlan give him too much traffic or false hard to read traffic?
    get what I mean. he wants direct connect vs sniffing a vlan it is plugged into in the idf closet and then hook our netscout sniffer appliance to the vlan that it is in and the trunk will carry the vlan to the next idf room where the device he wants to sniff is located? maybe he only wants easy to read packet sniffing capture and nothing else but not sure what else would be in a vlan that would interfer with his reading? Yeh I agree doing the SPAN or RSPAN.
  • cwelbercwelber Member Posts: 38 ■■■□□□□□□□
    Maybe he means he wants to tap the traffic and feed it to a Security Event Monitoring system. Tap ports on the switch can work for this, but I think real taps are the way to go if this is what your boss is looking for.
  • Danielh22185Danielh22185 Member Posts: 1,195 ■■■■□□□□□□
    Yes, it is really hard to visualize what / where the traffic you need to capture needs to take place. Maybe give us a rudimentary diagram of what you are trying to accomplish? There are several options though. A SPAN will allow you to capture traffic local to a switch for a number of vlans to a destination port your sniffer appliance is connected to. However it kind of sounds like you are trying to mirror monitored traffic to another switch, so the option to accomplish that would be to setup an RSPAN. Also the mentioned TAP is I think the best option (my company uses these everywhere for IDS), this allows you to capture the traffic physically via a dummy device (TAP) which will then relay the traffic to a designated switch where a sniffer is installed / connected. However a TAP generally will require more hardware to setup.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
  • NOC-NinjaNOC-Ninja Member Posts: 1,403
    From what i understand is that this is a remote area. Are you saying that you want to use RSPAN to sniff it?
    It should work.
    Even so there is a lot of traffic. You can filter that in wireshark.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    yeah there are in separate rooms. But there is a patch run to and from each room so we have direct connect which is no problem to direct connect the TAP from netscout sniffer to the LAN interface. Yeah this seems best and very clean without excessive information. I think this is what he looking for kind of a pure look at the flows. I do like his idea but wondered by you can Sniff a vlan that the LAN port is exclusively in only? across trunk port channels?
  • joetestjoetest Member Posts: 99 ■■□□□□□□□□
    You should go read up on SPAN and it's different variations. SPAN is to copy a port on a local switch and Remote SPAN allows you to utilize a dedicated vlan across switches(through trunks yes).
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    thanks I know about SPAN and RSPAN just wanted you opinion. I get it thanks man.
Sign In or Register to comment.