SPAN (Switched Port Analyser) is a requirement whenever you have a system that wishes to log and monitor traffic that is passing through a switch. Since a switch only sends traffic to the machine requiring the packets, adding a sniffer to the switch would result in you only seeing traffic to your sniffer, from your sniffer, broadcast and multicast traffic.
In order for us to have any type of sniffing function (IPS, IDS, Wireshark etc), we must configure the switch to send traffic to the port you have plugged your sniffer into.
In the live demo below I have configured my switch to send any and all traffic going to, or coming from FastEthernet ports 0/1 – 0/ 10 to my sniffer which is plugged in on FastEthernet 0/15.
Here is the breakdown of the commands
AOIP.ORG_Switch# conf t
Enter global configuration mode
AOIP.ORG_Switch(config)# monitor session 1 source interface fastethernet 0/1 – 10 both
This defines the source ports, and the direction of traffic I want to monitor. The session number ‘1’ must be referenced in my next statement
AOIP.ORG_Switch(config)# monitor session 1 destination interface fastethernet 0/15
This defines the destination port I wish to have a copy of the traffic sent to, and links this to the session number used to define the source ports.