Easy sniff: Cisco 2900XL Switch in SPAN mode
I’ve wanted to be able to use Wireshark to sniff on my LAN using the Cisco 2900XL Switch instead of an old hub I keep around for LAN sniffing purposes, but I’ve never taken the time to use the port monitoring features of Cisco’s SPAN, until now.
It’s pretty straight forward. Just configure one port to monitor any traffic on another. The IOS:
port monitor FastEthernet0/17
port monitor FastEthernet0/18
port monitor FastEthernet0/19
port monitor FastEthernet0/20
port monitor FastEthernet0/22
port monitor FastEthernet0/23
I was even able to hook up this PC to the 0/1 monitoring port and use it normally — I’m typing this on that PC that’s on the internet now. Wireshark was able to see all that was happening on those other ports. As an aside, the most persistent traffic were STP BPDUs issued from each of the 6 active switch ports every 2 seconds. FWIW, the packets look like this:
I was reading a manual for the 2950 (not 2900XL) earlier today. Clearly, there is MUCH more in this area of SPAN that can be accomplished on the 2950. Still, this is doing everything I need it to.
BTW, as I was browsing the 2900XL manual, I was distracted for a minute by the section on using CMS, a web browser GUI for switch management. I thought, why not give it a try? I’ve seen Cisco GUI interfaces for PIX and Wireless Access Points and they’re a good way to see the wealth of features at a glance. But, alas, this seems to require having the software loaded on the switch. All I got when I plugged in the patch cable and entered http:192.168.1.192 was a basic screen:
When you click on the first line about CMS or such, I get a 404 error, presumably because I don’t have that GUI software installed on the switch.
There was some merit in the available choices. For example, I received a nicely formatted gob of “shows” when I clicked on the Show tech support option. The 1st, show ver, looks like this:
—————— show version ——————
Cisco Internetwork Operating System Software
IOS ™ C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.4)WC(1), MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 10-Jul-01 11:52 by devgoyal
Image text-base: 0x00003000, data-base: 0x00333CD8
ROM: Bootstrap program is C2900XL boot loader
Switch uptime is 32 minutes
System returned to ROM by power-on
System image file is “flash:c2900XL-c3h2s-mz.120-5.4.WC.1.bin”
cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.
Processor board ID FAB0406T00W, with hardware revision 0x01
Last reset from power-on
Processor is running Enterprise Edition Software
Cluster command switch capable
Cluster member switch capable
17 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:B0:64:ED:12:C0
Motherboard assembly number: 73-3382-07
Power supply part number: 34-0834-01
Motherboard serial number: FAB040370MM
Power supply serial number: PHI0341009W
Model revision number: A0
Model number: WS-C2924-XL-EN
System serial number: FAB0406T00W
Configuration register is 0xF