1 00:00:00,000 --> 00:00:00,720 2 00:00:00,720 --> 00:00:03,870 Sometimes it's handy to get a copy of packets 3 00:00:03,870 --> 00:00:06,124 so that we can analyze or take a look at them. 4 00:00:06,124 --> 00:00:08,790 In this Nugget, I'd like to chat with you about a concept called 5 00:00:08,790 --> 00:00:11,160 port-mirroring, where we can take the packets 6 00:00:11,160 --> 00:00:13,380 and frames from one area of our network, 7 00:00:13,380 --> 00:00:15,460 or one port on a switch, and then forward 8 00:00:15,460 --> 00:00:18,520 those to another port, where we can take a closer look at them. 9 00:00:18,520 --> 00:00:19,800 So here is our topology. 10 00:00:19,800 --> 00:00:22,500 And let's say the scenario is that this server here, which 11 00:00:22,500 --> 00:00:26,160 is connected to gig 0/4 on switch two 12 00:00:26,160 --> 00:00:28,230 is having some problems with network connectivity 13 00:00:28,230 --> 00:00:29,820 or it's not operating correctly. 14 00:00:29,820 --> 00:00:33,370 As so we want to take a look at all the packets on that port 15 00:00:33,370 --> 00:00:34,870 so we can take a closer look. 16 00:00:34,870 --> 00:00:36,370 Well, how do we go about doing that? 17 00:00:36,370 --> 00:00:39,740 Well, one way is we can install some software on the server 18 00:00:39,740 --> 00:00:41,620 to actually take a look at those packets. 19 00:00:41,620 --> 00:00:43,090 However, that's going to interrupt the server 20 00:00:43,090 --> 00:00:45,720 because it's also going to have to process the packet analyzer 21 00:00:45,720 --> 00:00:47,160 to capture those packets. 22 00:00:47,160 --> 00:00:49,590 Another option is we could do port mirroring, which 23 00:00:49,590 --> 00:00:52,597 is to tell the switch dear, Mr. switch two, 24 00:00:52,597 --> 00:00:54,180 please take all of your traffic that's 25 00:00:54,180 --> 00:00:57,300 going into or out of gig 0/4, and let's 26 00:00:57,300 --> 00:01:00,450 send a copy of all of those packets and frames 27 00:01:00,450 --> 00:01:03,570 over to another device where we can analyze those packets. 28 00:01:03,570 --> 00:01:06,600 And so for our discussion, let's choose computer two 29 00:01:06,600 --> 00:01:10,140 as the lucky winner, the recipient who's 30 00:01:10,140 --> 00:01:12,570 going to get a copy of all the traffic that 31 00:01:12,570 --> 00:01:14,910 goes in and out of gig 0/4. 32 00:01:14,910 --> 00:01:17,160 So from a switch perspective, we need to first of all, 33 00:01:17,160 --> 00:01:20,070 identify where does computer two live, where is it connected. 34 00:01:20,070 --> 00:01:22,350 And computer two is connected to this port 35 00:01:22,350 --> 00:01:25,230 right here which is gig 0/2. 36 00:01:25,230 --> 00:01:27,000 So depending on the vendor's equipment, 37 00:01:27,000 --> 00:01:28,765 we configure this switch, switch two, 38 00:01:28,765 --> 00:01:31,380 to copy the packets from gig 0/4, 39 00:01:31,380 --> 00:01:33,210 and send a copy of all that traffic 40 00:01:33,210 --> 00:01:36,780 to the destination interface of gig 0/2, at which point 41 00:01:36,780 --> 00:01:39,030 computer two would need to be running some software 42 00:01:39,030 --> 00:01:41,830 or something that can look at all those packets 43 00:01:41,830 --> 00:01:43,030 so we could analyze them. 44 00:01:43,030 --> 00:01:44,640 So in a Cisco environment, when where 45 00:01:44,640 --> 00:01:46,515 we're doing the mirroring, the port mirroring 46 00:01:46,515 --> 00:01:48,300 on a local switch, they refer to it 47 00:01:48,300 --> 00:01:53,520 as SPAN, which is an acronym for switched port analyzer. 48 00:01:53,520 --> 00:01:55,350 And even within a specific vendor 49 00:01:55,350 --> 00:01:58,020 based on the hardware and the version of software that's 50 00:01:58,020 --> 00:02:01,230 being used on that switch, the commands could also vary. 51 00:02:01,230 --> 00:02:02,730 So here's an example of the commands 52 00:02:02,730 --> 00:02:05,730 we could use on a Cisco switch, monitor session and a number. 53 00:02:05,730 --> 00:02:07,530 For example, session number one, which 54 00:02:07,530 --> 00:02:10,110 is just identifying that SPAN session in the switch. 55 00:02:10,110 --> 00:02:12,100 And we'd use the source keyword, and then 56 00:02:12,100 --> 00:02:13,650 specify interface gig 0/4. 57 00:02:13,650 --> 00:02:16,920 That's were we want to pull the data or the frames from. 58 00:02:16,920 --> 00:02:18,870 And then the second line is to specify 59 00:02:18,870 --> 00:02:21,330 where we want those copies of the frames to go. 60 00:02:21,330 --> 00:02:24,790 And we use the command monitor session 1 destination. 61 00:02:24,790 --> 00:02:27,044 And then the interface where our monitoring device 62 00:02:27,044 --> 00:02:28,710 is, it's going to collect those packets. 63 00:02:28,710 --> 00:02:30,840 In this case, it's the Windows machine computer 64 00:02:30,840 --> 00:02:33,420 two on port gig 0.2. 65 00:02:33,420 --> 00:02:35,880 And that would cause the switch, switch two, 66 00:02:35,880 --> 00:02:39,510 to take all the frames on port gig 0/4 67 00:02:39,510 --> 00:02:44,304 and mirror them or copy them over to gig 0/2 for analysis. 68 00:02:44,304 --> 00:02:45,720 In this Nugget, we've taken a look 69 00:02:45,720 --> 00:02:48,150 at the concept of port mirroring and how 70 00:02:48,150 --> 00:02:51,210 it can be used to copy packets from one area of our network 71 00:02:51,210 --> 00:02:53,860 over to another for analysis. 72 00:02:53,860 --> 00:02:56,100 I hope this has been informative for you, 73 00:02:56,100 --> 00:02:59,690 and I'd like to thank you for viewing. 74 00:02:59,690 --> 00:03:00,378