I am attempting to use ntop to monitor traffic over a Cisco Catalyst switch. I was assuming that in order to see any of the traffic, I'd have to use monitor, as described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml.
Howver, before I did anything on the switch, I simply plugged my ntop server in and fired up ntop. To my suprise, I instantly see 3+ pages of hosts, and thousands of packets. How is ntop seeing this?
I have verified that no monitoring exists on the switch (run as en):
cs1.pvdc#show monitor
No SPAN configuration is present in the system.
My ntop server is Ubuntu 8.04, I haven't done ANY configuration, I just installed the ntop package. This is also a fresh Ubuntu install.
Is there anything else on my switch besides "monitor" that might cause my switch to mirror all its traffic like this? I've tried plugging ntop into different ports with the same results.
UPDATE: It appears to be more then just broadcast traffic showing up in ntop, for example, I can see when my IPs have talked to the DNS server or generated HTTP traffic. If my switch is misconfigured, can anyone point me in the right direction towards rectify this? Not a Cisco expert.
What kind of packets are you seeing? In general I've found that a good size network will inevitably have a lot of broadcast chatter. Things like NetBios announcements and ARP requests. What you shouldn't see is any point to point to point traffic. Look at the source and destination IP/MAC addresses. If you are seeing specific point to point traffic then there is possibly a configuration problem with your switch.
Also, it would be good to turn
spanning-tree port-fast
on each of your access ports of the switch because this will prevent the mac-address table from getting flushed when a port goes up/down. Which is usually the cause of switches flooding packets.EDIT:
You could try changing the MAC address table aging time:
http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m1.html#wp1085773
The command would be:
mac-address-table aging-time seconds
This would change the time an entry stays in the switche's table allowing it to remember addresses longer and limit unicast flooding.
The other command to use is the one I mentioned above
spanning-tree port-fast
. You should enable this on each interface that does not connect to another switch. This will have 2 benefits: First, it will speed up the time it takes to plug in a new computer, Second, it will also keep the switch from flushing the MAC table when it thinks there is a topology change (a feature of spanning tree).I use NTOP as well and this is what is happening in your case.
Note: The SPAN will monitor A to B and B to A traffic on one port. If you have full duplex 2x 100 Mbit, the overall traffic between A and B can't exceed the network speed 100 Mbit before packet loss occurs. This shouldn't be a problem with a gigabit switch.
(source: cisco.com)
If you have a very large lan, then check the size of you swtiches mac table storage. If you overflowing a lot, then you switches will start to flood.
I've seen this problem with a network that has a core switches that had been configured to filter layer 2 multicast packets, which lead to incomplete mac tables on many of the access switches.
If you have physical access to the switch, switch it's diagnostics led's to traffic mode, you should see an even distribution of activity on every port (show's even traffic distribution). If there a lot of synchronisation , then there's a lot of flooding going on. If all switches are the same , then you mac table learning problem.