Embedded Packet Capture – RSPAN


Recently I put up an article around embedded packet capture and SPAN sessions. This post will expand on that a bit into RSPAN. When trying to monitor a port with a SPAN session, as mentioned in the previous article ( 1.4.a (iii) Embedded Packet Capture ) you need to be in the same location as the switch your subject host is connected to. Sometimes that’s not exactly the perfect situation. It’s a lot easier (and faster) to run a SPAN session from your comfortable office versus a noisy wiring closet somewhere on site. That’s where RSPAN comes in! Here’s a bit of how that process looks.

*Note: A lot of this is based on regular SPAN sessions, read my other post linked above if you need a reference.

The first step is to create a RSPAN Vlan on your network. This needs to be a dedicated RSPAN Vlan that will not be used for anything else. It can’t be used for access ports, etc.

vlan 999
remote span

Now you have a network-wide RSPAN Vlan. That is the same Vlan that will be used for all RSPAN sessions across your network. The next step is to go to the switch where your subject host is connected. Here is the monitor session you need to configure:

monitor session 1 source interface Gi0/1
monitor session 1 destination remote vlan 999

That creates your monitor session and sends all of the traffic to your new RSPAN Vlan, Vlan 999. Now you need to receive the traffic somehow. The last commands need to be configured on the switch that your personal workstation are connected to. That allows you to receive the RSPAN traffic in your favorite traffic analyzer such as Wireshark:

monitor session 1 source remote vlan 999
monitor session 1 destination interface Gi0/24

That will lastly take all traffic from the RSPAN Vlan and point it out the port Gi0/24 (where our laptop is connected). From there, it will act like a normal SPAN session. Your instance of Wireshark won’t even notice the difference!

That’s all there is to it. Pretty straight forward and saves you a trip to a far network closet on a remote side of the factory, campus, or hospital you might work in. Just one more tool to help diagnose issues on your network.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.