Port Monitoring on Force10 Switches

Posted on July 15, 2011 by Humair

In this lab I will demonstrate how to do port monitoring on Force10 switches and capture the packets using a network protocol analyzer (Wireshark in this case). Port monitoring allows the copying of all incoming/outgoing packets on a specific port to be mirrored/forwarded to another port where a network protocol analyzer is attached to analyze the traffic. Port monitoring is sometimes also referred to as packet sniffing, and, as you have probably guessed, packet sniffing can be used for malicious purposes. For the majority though port monitoring or packet sniffing is used for a variety of troubleshooting, security, and reporting tasks.
Port monitoring is supported on the S, C, and E series of Force10 switches with the exception of the EtherScale versions of the E-Series platform. I start with the same setup that I used in a prior lab “Setup VRRP with Force10 Switches” and make a few small changes. As before, I use three different Force10 switches: E1200 [FTOS 8.4.2.1], S60 [FTOS 8.3.3.4], and S55 [FTOS 8.3.5.0]. In addition to the prior setup, I add the gigabitethernet 7/2 interface to vlan 98 on the Force10 E1200 and connect a laptop to it. I assign the laptop an IP of 11.0.0.102; this laptop will be used to send pings to the Force10 S55 switch (11.0.0.101) which is setup as the “backup” under the VRRP group. Second, I connect a laptop (11.0.0.103) with Wireshark installed on it to port 0/2 on the Force10 S55 switch. The network diagram is shown below.

Network diagram for VRRP and Port Monitoring


I will mirror the traffic received and sent on port 0/1 of the Force10 S55 switch to port 0/2 on the same switch. Notice that I do not have to add port 0/2 to vlan 98 in order to use it for the destination for port mirroring; however, I do have to make sure it has “no ip address” and “no shutdown” configured. Now that all the physical connections are made, I setup port mirroring on the Force10 S55 switch as shown below.
————————————————————————————————————
– enable
– config
– monitor session 0
– source gigabitethernet 0/1 destination gigabitethernet 0/2 direction both
————————————————————————————————————

Once everything is setup, I simply click the “Start a new live capture” button in Wireshark. Remember, physical routers within a virtual router communicate with themselves using packets addressed to the 224.0.0.18 multicast IP address. Since we have VRRP setup between the Force10 E1200 and Force10 S55 switches, I am expecting to see VRRP packets being sent to 224.0.0.18. To capture some other type of traffic, while Wireshark is capturing packets, I ping the Force10 S55 switch (11.0.0.101) from the laptop I connected to the Force10 E1200 switch. For this reason, I am also expecting to see ICMP (Internet Control Message Protocol) packets being sent to 11.0.0.101. In addition, ARP (Address Resolution Protocol) packets will be seen as hosts’ MAC addresses attempt to get resolved. As can be seen from the below image capture, the results are exactly as expected!

Wireshark Packet Capture

This entry was posted in Force10 Networks, Labs, Networking and tagged , , , , , , , , , , , . Bookmark the permalink.

1 Response to Port Monitoring on Force10 Switches

  1. NK says:
    April 21, 2016 at 7:10 AM

    Thanks for the post! Very useful.
    Very good blog 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *


− six = 0