Header Only - DO NOT REMOVE - Extreme Networks

Capturing FTP on mirrored port not working


Hi,We have Extreme Summit x450e (48-port) switches in our environment and I'm trying to capture FTP traffic between a copier on my network and a file server.

  • I mirrored the copier port
  • Plugged a laptop into the mirrored port
  • Started Wireshark capture in promiscuous mode
  • Scanned a document on the copier which opens and FTP connection to our file server
  • No FTP traffic appears in the capture
OK. Let's see if I Wireshark can pick up the FTP traffic natively from my laptop, with no port mirroring

  • Opened Wireshark on my laptop ... capturing in promiscuous mode
  • established and FTP connection with the file server via CLI
  • Observed FTP protocol in Wireshark capture (Success!)
OK. So it's not my config of Wireshark. It is picking up FTP traffic natively from my laptop. So let's mirror the port my laptop is on and try again

  • I mirrored my laptop port on the swtich
  • Plugged a new laptop into the mirrored port
  • Opened Wireshark on the new laptop... capturing again in promiscuous mode
  • established an FTP connection from my laptop to the file server via CLI
  • No FTP traffic captured
This leads me to believe that there is something about the mirroring process on my switches that is not sending FTP traffic to a mirrored port. I know not everyone has Extreme switches, but has anyone heard of such behavior in their own environments?

Thanks for listening and I appreciate any help.

3 replies

Userlevel 6
Hello Joe

I have not seen or maybe I don't remember this ever being an issue. Can you add your mirror config to the post to see how things are set up?

In general you set up the mirror port then you add the port you want to mirror to the mirror and all traffic should show up.

I will see if I can try it out.

Thanks
P
Userlevel 4
Hello Joe,

It would be helpful to see the mirror configuration; however, you can also double check the configuration. Typical mirror setup is as follows (utilizing the "DefaultMirror":

configure mirror defaultmirror add port (port you want to capture traffic from)
enable mirror defaultmirror to port (port you are connected to with Wireshark running)

Thanks
Userlevel 6
Are you sure that the printer/scanner is doing FTP?
I did not have ever issue of "not seeing traffic" with port mirroring, but can be of course bug.
When you have the mirror configured, do you see other unicast traffic from the printer?
Take another computer and ping the printer. do you see the ping & pong in your wireshark? = this will give you a hint if only FTP is missing or the mirror does not work at all...

Reply