Creating a SPAN Port on a 2960
Creating a mirroring port also called a SPAN port (Switched Port Analyzer) might be required for some network appliances to analyze network traffic. Since we have switches which run in separate collision domains per port we have to do some configuration on the switch first before we can analyze traffic. (Think back to Collision domains vs. Broadcast domains)
In this example I have a 24-port Cisco Catalyst 2960 switch with no configuration on it. I have two PCs that are connected to this switch, One PC (PC2) will be my destination of copied frames while the other PC (PC1) will be the source of those frames. PC2 will have Wireshark installed and be capturing the output, while PC1 will browsing the web and checking for windows updates. If all goes correct I should be able to see traffic that PC1 is sending and receiving from PC2.
To get started I am in global configuration mode and I will be using the “monitor session” command. The following command below tells the switch to copy frames on port FastEthernet0/5 which is where PC1 is physically connected.
Switch(config)#monitor session 1 source interface Fa0/5
Switch(config)monitor session 1 destination interface Fa0/6
Switch#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/5
Destination Ports : Fa0/6
Encapsulation : Native
Ingress : Disabled
Switch#
http://www.cloudshark.org/captures/8f1cd7661a1f
That’s it! You can also watch more than one network port to capture network traffic if you want, as well using it on port-channels but the 2960 I have does not support that feature :) Like always I hope this information is helpful and Happy New Year! Cisco Documentation: Catalyst Switched Port Analyzer (SPAN) Configuration Example