1

I am using port mirroring / monitoring in my 3COM layer 3 switches to look at network traffic (using wireshark).

Sometimes, I have found that I loose connectivity with the remote monitor machine (the machine receiving the port mirror traffic). I am unable to ping, or connect to it in any way.

However, sometimes it works (and stays) fine - for example, I have had a monitor running (using wireshark) for over 24 hours with no issue.

When it stops pinging, the only way I have found to bring it back is to shut off the monitor port in the switch. When I do this, it comes right back up - pings start right away to the machine. Note, by the way that it looks like the monitor machine itself is fine - at least in terms of capturing traffic. It appears to be capturing traffic the whole time, even when I cant ping it.

Any idea why this happens, or how I might be able to prevent it?

I do not think it is overloaded, as I have experimented with monitoring only one, low volume port and it still happens.

Scott Szretter
  • 1,860
  • 11
  • 42
  • 66
  • Does your capture host have one or two interfaces in it? (eg: are you trying to manage the host using the same interface receiving the port-mirror traffic?) – Phil Nov 11 '13 at 14:20
  • Only 1. Would the behavior I describe be considered normal? So in that case you use a second adapter? – Scott Szretter Nov 11 '13 at 20:15
  • Best practice generally indicates the use of a dedicated unconfigured port for the capture of mirrored traffic.. and prevents any risk of your administrative interface becoming overloaded in any way. – Phil Nov 16 '13 at 00:16

0 Answers0