Shulou(Shulou.com)06/01 Report--

SPAN, whose full name is Switched Port Analyzer, literally translates to switched port analyzer. It is a port mirroring technology of a switch. The main function is to provide some network analyzer with network data flow. SPAN does not affect the data exchange of the source port, it only sends a copy of the data packets sent or received by the source port to the monitoring port.

RSPAN (Remote SPAN), or remote SPAN, is similar to SPAN, but provides remote monitoring for multilayer switches across switched networks.

SPAN technology is mainly used to monitor the data flow on the switch, which can be divided into two types, local SPAN and remote SPAN. -Local Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN), the implementation method is slightly different. Using SPAN technology, we can send a copy of the COPY or MIRROR of some data streams on the switch that want to be monitored (hereinafter referred to as the controlled port) to the flow analyzer connected to the monitoring port, such as IDS of CISCO or PC equipped with SNIFFER tools. The controlled port and the monitoring port can be on the same switch (local SPAN) or on different switches (remote SPAN).

Port mirrors all traffic on the monitored port-"monitoring port"

Stream mirror like a specific flow [telnet ssh,]-"Monitoring port"

Image source port: mirroring

Mirror destination port: monitor

Monitoring equipment: IPS, IDS

Three configuration methods

Configuration 1:

Mirroring-group 1 local Local Mirror Group

Interface eth

Monitor-port image destination port

Quit

Intterface eth

Mirroring-port both Mirror Source Port

Configuration 2:

Mirroring-group 1 local

Interface eth

Mirroring-group 1 monitor-port

Quit

Intterface eth

Mirroring-group 1 mirroring-port both

Configuration 3:

Mirroring-group 1 local

Mirroring-group 1 monitor-port eth

Mirroring-group 1 mirroring-port eth both

Case list 1: implementation of local monitoring

Equipment required: one switch, three pc, one of which is monitored by the linux operating system (using wireshark).

Topology Diagram:

Switch configuration:

Mirroring-group 1 local

Mirroring-group 1 monitor-port eth 1-0-24

Mirroring-group 1 mirroring-port eth 1-0-10 eth 1-0-20 both

Monitoring device configuration:

Open the virtual machine linux

Install the wireshark package as shown in the figure

Use the command to start grabbing packets (you can grab specific traffic): as shown in the figure

If you use the telnet command to connect to another host on one pc, you can grab traffic information, as shown in the figure:

Case 2: realization of remote monitoring

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.