Tag Archives: Wireshark

EEM Tricks: Scheduled Packet Capture

It’s going to be a short note. I’ve finally started to explore the world of automation (EEM) and coding (Python) and I love both! I used to code long time ago using Perl and PHP, and now I regret I’ve ignored these skills for the last decade (at least). I will be publishing some EEM and Python snippets here from now on. So, today I’d like to share a small piece of EEM script that, in short, waits until a specific time, then starts packet capture of all packets destined to CPU on the router, waits for X seconds, then terminates capture, exports it to the FTP server and removes 95% of its traces from the running config. This can be simplified or made more sophisticated for as much as your imagination allows… Read more …

RSPAN and 802.1q Tags Limitation

I had to do a lot of traffic captures recently. Being a lazy guy and to avoid floor walking, I decided to use RSPAN on my Catalyst 3750 switches. I was able to collect a lot of useful data from the remote ports with except to one particular case – it’s when remote port was in a trunking mode configured to trust CoS. Although, I have changed Windows 7 registry settings to support Monitor Mode on Intel 82577LM Gigabit NIC, Wireshark was not able to see 802.1q headers of the remote frames captured from the trunk port. That driven me nuts before I understood the cause (tried to re-install NIC drivers, read Wireshark FAQ, tampered with Windows Registry).

It turned out to be a limitation of the RSPAN feature. Just quoting Cisco website:

For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged.

Reasonable. You cannot use RSPAN to capture original Layer 2 headers. RSPAN forwards Layer 2 traffic to the remote switch via a trunk port and that requires to strip off the original Layer 2 headers, including 802.1q.

For more information refer to Cisco guides, i.e. Configure SPAN and RSPAN on Catalyst 3560.