Shulou(Shulou.com)06/01 Report--

The setting of Sensor is particularly important, which is similar to sniffers. Many people have installed sniffers, which is not as simple as host access in large networks. As a network manager, you should be aware of the specific circumstances of the network environment you are managing. The network topology of an enterprise is shown in figure 2-2.

Figure 2-2 how to select the location of the sniffer

The following mainly discusses sniffing methods in switched and routed networks.

1. Switched network

In a switched network, port mirroring is the easiest way to capture traffic, but the switch used must support port mirroring (Port Mirroring) and have a free port that can be plugged into the sniffer. Most switches above mid-range support port mirroring, but to varying degrees.

Devices that support SPAN:

The commonly used Tp-link switch with mirror function is tplink sf2005 5-port mirror switch.

Tp-link 2428WEB 24-port managed mirror switch

Cisco WS-C6509, WS-C4006, WS-C3750G-24T-E, WS-C3550-48EMI and WS-C2950G-24-EI Huawei S2008/S2016/S2026/S2403H/S3026 all support port mirroring. Because the setting of SPAN is a top priority, it will be explained in more detail below.

Figure 2-3 Sensor deployment in a switched network

Steps to configure mirrored (SPAN) ports on Cisco Catalyst series switches

In the process of network fault troubleshooting and network data flow analysis, it is sometimes necessary to monitor and analyze the incoming data flow of some ports of the network node or backbone switch, and setting SPAN ports in the switch can monitor some suspicious ports without affecting the data exchange of the monitored ports.

The main purpose of SPAN (Switched Port Analyzer) is to provide some kind of network analyzer with network data flow. It can not only mirror data from several source ports to one monitoring port in a VLAN, but also mirror data from several VLAN to one monitoring port. The SPAN task does not affect the normal operation of the switch. When a SPAN task is established, the task will be active or inactive depending on the state or operation of the switch, and it will be logged. The current state of SPAN can be displayed through the "show monitor session" command.

There are three main types of SPAN data flows:

(1) input data flow (Ingress SPAN): refers to the data flow received by the source port and sent to the monitoring port with a copy of the data

(2) output data flow (Egress SPAN): refers to the data flow sent from the source port and a copy of its data to the monitoring port

(3) Bidirectional data flow (Both SPAN): the combination of the above two.

The following principles should be followed when configuring SPAN tasks:

(1) the equipment for monitoring and analysis of data shall be overlapped on the monitoring port.

(2) redundant link ports can only be used as source ports for SPAN tasks.

(3) all source ports in the SPAN task must be monitored in the same direction.

(4) when setting the port as the source port, if you do not specify the monitoring direction of the data flow, the default is bi-directional

(5) when the SPAN task contains multiple source ports, these ports can come from different VLAN

(6) the command to cancel a SPAN task is: no monitor session task number

(7) the command to cancel all SPAN tasks is: no monitor

(8) the destination port of the SPAN task cannot participate in the distance calculation of the spanning tree, but because the BPDU packets of the source port can be mirrored, the SPAN destination port can monitor the BPDU packets coming from the source port.

Configure the source port of SPAN. The command format is as follows:

Switch (config) # [no] monitorsession {session_number} {source (interface type/num) | {vlan vlan_ID}} [, |-| rx | tx | both]

The following example shows how to configure a SPAN task with a source port of FastEthernet 5max l that monitors two-way data flows:

Switch (config) # monitor session 1 source interface fastethrnet 5max

Configure the destination port of SPAN. The command format is as follows:

Switch (config) # [no] monitor session (session_number) {destination {interface type/num}}

The following example shows how to configure a SPAN task with a destination port of FastEthernet 5 to 48:

Switch (config) # monitor session l destination interface fastethernet 5 Compact 48

When the source port of the SPAN task is the Trunk port, the command format is as follows:

Switch (config) # [no] monitor session {session_number} {filter vlan {vlan_ID} [, | -]}

The following example is how to configure VLANl~VLAN5 and VLAN9 for monitoring when the source port is a Trunk port:

Switch (config) # monitor session 2 filter vlan 1-5Jing 9

The following is a comprehensive example that uses the various commands mentioned earlier:

Monitor the bidirectional data flow on the Trunk port FastEtheraet4/10 (where the VLANl~ VLANl005 data flow is carried), and only monitor the data flow in the VLAN57, the port

FastEthernet4/15 is the destination port. The specific configuration method is as follows:

Switch (config) # monitor session 1 source interface fastethernet 4 go 10

Switch (config) # monitor session 1 filter vlan 57

Switch (config) # monitor session 1 destination interface fastethernet 4 go 15

If you want to release the SPAN task, enter the following command:

Switch (config) # no monitor session 1

The following statement shows how to verify the configuration results of the SPAN task:

Switch# show monitor session 2

In the process of configuring the mirror port (SPAN), we should also take into account the processing speed of the device and the size of the port data cache when the data flow is too large, so as to minimize the loss of monitored packets.

two。 For the setting of routed network sniffer, you can refer to my new book published this year.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.