We needed to use Wireshark to capture traffic coming from and going to a device connected to one of the corporate switches. We knew the IP address of the device (10.X.X.X/24) but not which switchport the device is physically connected to.
First will connect to the switch via SSH/Telnet and make sure we can actually communicate with the device. We can do so by issuing the ping command.
Below command will display the address table of the switch, that contains VLAN to MAC address to Port mappings.
show bridge address-table
Assuming MAC address of our target device is 12:34:56:78:90:12, we’ll be looking for an entry in the address table that would look something like:
VLAN MAC Address Port Type 100 1234.5678.9012 3/g34 Dynamic
This indicated that the MAC address of our device corresponds to switchport 3/G34. This will be the source interface for our SPAN.
Next, we will connect the workstation running Wireshark to an available Ethernet port on the switch. In this example we’ll use 1/G7. This will be the destination interface for our SPAN.
On the switch we’ll need to define the monitoring session, then specify both the source and destination interface and enable the monitoring session. We can do so by issuing the following commands:
Switch00(config)#monitor session 1 source interface 3/g34
Switch00(config)#monitor session 1 destination interface 1/g7
Switch00(config)#monitor session 1 mode
To verify the configuration you can issue the following command:
Switch00# show monitor session 1