You can capture traffic from an entire switch, or specific ports, by configuring a SPAN port on your managed switch.
Let’s see how this looks in practice. Imagine you have a managed switch, say a Cisco Catalyst 3750, and you want to see all traffic going to and from your web server, which is plugged into port GigabitEthernet1/0/1. You’d also want a machine running Wireshark to receive this captured traffic, and let’s say that machine is connected to port GigabitEthernet1/0/2.
First, you’d configure the source port(s) on the switch. This tells the switch which traffic to duplicate.
Switch# configure terminal
Switch(config)# monitor session 1 source interface GigabitEthernet1/0/1 both
Here, monitor session 1 creates a new monitoring session. source interface GigabitEthernet1/0/1 designates the web server’s port as the source. both means we want to capture both incoming (Rx) and outgoing (Tx) traffic on that port. If you wanted to capture traffic from multiple ports, you’d add more source lines to the same session:
Switch(config)# monitor session 1 source interface GigabitEthernet1/0/1 both
Switch(config)# monitor session 1 source interface GigabitEthernet1/0/3 both
Next, you configure the destination port. This is where the duplicated traffic will be sent, and where your Wireshark machine is connected.
Switch(config)# monitor session 1 destination interface GigabitEthernet1/0/2
This command tells the switch to send all the traffic it’s monitoring for session 1 to port GigabitEthernet1/0/2. It’s crucial that the destination port is not carrying any regular network traffic, as it will be flooded with duplicated packets, and any traffic originating from or destined for the Wireshark machine itself will be lost.
Finally, you exit configuration mode and verify your setup.
Switch(config)# end
Switch# show monitor session 1
This command will show you the status of your SPAN session, confirming the source and destination interfaces. Once this is set up, you start Wireshark on the machine connected to GigabitEthernet1/0/2 and select that interface as the capture interface. You should then begin seeing all the traffic that passes through GigabitEthernet1/0/1.
The core problem SPAN ports solve is the inability to passively observe traffic on a network segment when you don’t have a direct tap point or the traffic isn’t destined for your own machine. Switches, by design, only send traffic out the port(s) where the destination MAC address is learned, or to all ports for broadcasts/multicasts. SPAN (Switched Port Analyzer), also known as port mirroring or RSPAN (Remote SPAN), essentially tricks the switch into duplicating packets and sending them to a designated "monitor" port. This allows a network analyzer like Wireshark to see traffic that it wouldn’t normally see. The both keyword is important because it captures traffic in both directions on the source port, giving you a complete picture of the communication.
It’s important to remember that SPAN is a traffic duplication mechanism, not a filtering one. The switch duplicates all specified traffic. If you’re monitoring a busy server port, your Wireshark machine will be inundated with packets. You’ll likely need to apply display filters in Wireshark to isolate the traffic you’re interested in. For instance, if you’re troubleshooting an HTTP issue, you’d filter by tcp.port == 80 or http.
Some switches allow you to create "ingress-only" or "egress-only" SPAN sessions. This is mechanically achieved by omitting the both keyword and specifying source interface <interface_id> rx for incoming traffic, or source interface <interface_id> tx for outgoing traffic. This can reduce the load on your monitoring interface if you only need to see traffic in one direction.
When configuring SPAN, ensure the destination port is connected to a dedicated monitoring device and is not used for regular network traffic. If the destination port is also participating in the network, its own MAC address table will be populated, and packets destined for it might not be sent to your Wireshark machine. Furthermore, the destination port should ideally be configured as a trunk port if you intend to capture traffic from multiple VLANs, and the Wireshark machine should be configured to understand VLAN tagging (e.g., by using eth0.10 in Wireshark for VLAN 10 traffic if your Wireshark machine is on a Linux host and the interface is configured to carry tagged traffic).
After setting up SPAN and starting Wireshark, the next logical step is often to analyze the captured packets for specific anomalies or patterns related to your troubleshooting objective, which might involve deep packet inspection or following TCP streams.