Cisco: Sniffing Traffic on Switch Ports

Snowcone · March 2008

This is a kind of high level issue I am having, but I figured I'd bring it here anyway. I've got a stack of Cisco 3750G switches. I need to document the network layout and I really don't want to use a tester to map out which patch panel port goes to which office. What I am hoping to do is sniff the traffic on each individual port, find the local private ip of the computer on that port, and then use a network scanner to match up each machine to its current ip.

I've looked at NTop, but couldn't get it to run on my windows machine. Does anyone know of a tool, maybe like ethereal, that would let me sniff traffic isolated to a single switch port of a cisco switch?

stigweard · March 2008

I thought ntop had full win32 compatibility? Have you tried Cisco for switch management software? I've used some 3com software for a set of 3com switches before and it mapped out everything fairly well.

Snowcone · March 2008

I've got the Cisco Network Assistant (CNA) installed and it's not giving me any information like that. If it helps, I'm running Vista and the NTop installer crashes everytime I try it.

SiliconStew · March 2008

First set up port mirroring (SPAN) on your switches so that you are monitoring one port at a time. Run ethereal/wireshark on the monitor port to find the computer's IP. Repeat for each port on the switches.

You may want to run a ping sweep on your LAN IP's at the same time you run ethereal so you are not just waiting for the computers to generate traffic themselves.

Snowcone · March 2008

SiliconStew wrote: »

First set up port mirroring (SPAN) on your switches so that you are monitoring one port at a time. Run ethereal/wireshark on the monitor port to find the computer's IP. Repeat for each port on the switches.

You may want to run a ping sweep on your LAN IP's at the same time you run ethereal so you are not just waiting for the computers to generate traffic themselves.

Thank you. It looks like SPAN is going to do exactly what I needed.

badfish · March 2008

Snowcone wrote: »

SiliconStew wrote: »

First set up port mirroring (SPAN) on your switches so that you are monitoring one port at a time. Run ethereal/wireshark on the monitor port to find the computer's IP. Repeat for each port on the switches.

You may want to run a ping sweep on your LAN IP's at the same time you run ethereal so you are not just waiting for the computers to generate traffic themselves.

Thank you. It looks like SPAN is going to do exactly what I needed.

If you find anything easier to read and sort through than wireshark, let me know. We use port mirroring for CALEA, I know the Law Enforcements have some nice software to decrypt and read that traffic but I know it's expensive too, mega. To test though, we count on Wireshark or worse to ensure the packets are gettin captured properly.

Clearsightnet.com has some stuff I think, but will probably run you $10k or so.

thej3w · March 2008

http://www.openxtra.co.uk/freestuff/ntop-xtra.php

Should be just a easy install for windows. Much easier than the real nTop installer.

Penny Arcade

Quick Links

Cisco: Sniffing Traffic on Switch Ports

Posts