On 11/8/2010 10:09 AM, David Shephard wrote:
Hi all I want to capture LAN traffic from
Core Switch
to DMZ & filter by protocol, is this possible?
Yes, you can filter on anything you'd like. But somethings you need
to answer are
1) How do you plan on getting the traffic to the analyzer? Via
span/mirror session?
2) If so, make sure you pick one ingress/egress point. Don't span
the VLAN because you'll then capture the packets as it enters and
exits the VLAN.
3) Keep an eye on the monitor/span destination port (sho int, or
sho mac in Cisco'ese) to make sure that you're not overrunning the
monitor/span port.
4) You have the option of running VACLs to limit what you capture,
but there are some dependencies so stay away unless you have a clear
idea about the pro's and con's. There was a nice Sharkfest
presentation this year on using VACL's so check it out on the
sharkfest 2010 site.
Once you've successfully created the span, you can also filter on
Wireshark itself. You can use "host 1.1.1.1" or you can use "port
123" etc.
It's a pretty open ended question so I'm hesitating on giving a
detailed answer.
|
