1

For the sake of monitoring my internet connection I have set up a port mirror on my Dell powerconnect 5548 from the SFP port to a 1Gb port on the switch, connected to my monitoring interface. The SFP interface is the uplink port to my default gateway.

The port mirror is listed as being "active" within the switch interface but tcpdump is not picking anything up on the interface except broadcast traffic.

Any ideas for what could be wrong?

user46516
  • 31
  • 3
  • Can you verify with the interface counters that it's actually getting pummeled with all of the mirror traffic? And make sure your interface is set to promiscuous mode. – Shane Madden Jan 15 '12 at 22:42
  • RX bytes:312667746 (312.6 MB) seems to be fairly busy yes. do i set the card to promiscuous in ntop or in the network config? – user46516 Jan 15 '12 at 22:45
  • Does the destination port of the mirror have a configuration? It probably needs to be removed if it does. Also some switches require you to explicity define that you want ingress and egress traffic mirrored. – SpacemanSpiff Jan 15 '12 at 22:47
  • Well `tcpdump` will try to put the interface into promisc mode by default when an interface is specified with the `-i` option. What options are you using to run it? – Shane Madden Jan 15 '12 at 22:52
  • i have enabled promiscuous mode on the interface, tcpdump still shows only broadcast, i will try and remove the config on the port now. – user46516 Jan 15 '12 at 22:53
  • using tcpdump -i eth2 – user46516 Jan 15 '12 at 22:54
  • btw is there any issue with port mirroring and SFP (10Gb) port to a 1Gb port? resetting the port hasn't made any difference. – user46516 Jan 15 '12 at 23:56

0 Answers0