Log traffic between two end points?

  • 1
  • 1
  • Question
  • Updated 2 months ago
  • Answered
  • (Edited)
I have the following extreme switches running layer 2 and layer 3 for our organisation:

X670 G1 Firmware 16.2.2.4
X670 G2 Firmware 21.1.1.4

What is my easiest option for capturing layer 3 conversations from a source IP range?

I'd like to know what hosts in our DMZ are communicating to internal servers, so basically just capture anything with a source of x.x.x.x/27

Perhaps something like remote mirroring the inbound ISP ports to a Linux machine running TCPDUMP to capture, or a windows box running wireshark with a filter?
Photo of Ben Giles

Ben Giles

  • 100 Points 100 badge 2x thumb

Posted 6 months ago

  • 1
  • 1
Photo of Frank

Frank

  • 3,806 Points 3k badge 2x thumb
What I've done in the past is port-mirroring, where you can even mirror a port to a remote-port, meaning your wireshark/whatever probe can site on a completely different switch.

The other option is to tcpdump locally ON the switch. Yes, there's a packet capture command! Of course you may not want to keep that running forever - the switch does have limited space...
I usually just need to troubleshoot things and capture a few minutes of traffic, then tftp the captured file to a server and read it through wireshark after the capture. You could possibly even script that (capture this much data, stop, transfer file, erase file, start capturing again, rinse-repeat)

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-perform-a-local-packet-capture-on-a...

https://gtacknowledge.extremenetworks.com/articles/How_To/Perform-a-packet-capture-in-the-EXOS-CLI-using-the-command-debug-packet-capture   That's the one I usually go by.

Sorry, wanted to reply 2 days ago...

   Frank