Hello,
I am testing out the sniffer sensor and have it configured in the following way:
Configured port mirroring (spanning)
The server setup is a sVM on hyper V server with several nics. One nic is dedicated for PRTG management, host access etc.
The second nic is dedicated to the sniffer and is plugged into port on our cisco 3750 with port mirroring configured.
Essentially this hyper v host has 2 virtual switches that have a dedicated nic on each virtual switch.
Cisco port config Port being monitored interface GigabitEthernet1/0/1 description Uplink to internet egress switchport mode access speed 100 duplex full Destination port: interface GigabitEthernet1/0/3 description SFS-NETMON Mirror P1 switchport mode access Spanning config monitor session 1 source interface Gi1/0/1 monitor session 1 destination interface Gi1/0/3
The port it is monitoring is our uplink to our MPLS provider
My expectation is to see source and destination of all packets. All i am seeing is local traffic and appears to be broadcast traffic.
Should the nic have an IP address? What am i missing?
Thanks in advanced
Jason
Article Comments
How do i put the nic in promiscous mode? Do I do this on the hyper v host or in the guest?
Thanks
Jun, 2012 - Permalink
Usually it is locally set (so in the guest), but with Virtual Systems you may need to set it also on the host-system.
Jun, 2012 - Permalink
Is this something that is set in nic properties? I cannot seem to find that setting anywhere on the NIC
Jun, 2012 - Permalink
another way to cause this, even when the card is in the correct mode, is if the hub you are plugged into is actually a switch, that is not uncommon with 100 mb hubs, especially those that include NAT/WAN services, in this case there may be some special ports to configure on the switch to replicate traffic, if not it might be necessary to install an intermediate hub on the segment you wish to sniff
Nov, 2020 - Permalink
Hello,
just to check, is the NIC (its driver) running in promiscuous mode? If not, the situation would exactly as described, so PRTG seeing only local traffic.
best regards.
Jun, 2012 - Permalink