Hub/Switch Reference Guide

578 Snoop Commands

NN47250-100 (Version 02.51)

History

Usage

Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear)

version is sent to the observer.

For best results:

• Do not specify an observer that is associated with the AP where the snoop filter is running. This

configuration causes an endless cycle of snoop traffic.

• If the snoop filter is running on a AP, and the AP used a DHCP server in its local subnet to configure its

IP information, and the AP did not receive a default router (gateway) address as a result, the observer

must also be in the same subnet. Without a default router, the AP cannot find the observer.

• The AP that is running a snoop filter forwards snooped packets directly to the observer. This is a one-way

communication, from the AP to the observer. If the observer is not present, the AP still sends the snoop

packets, which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer

continuously sends ICMP error indications back to the AP. These ICMP messages can affect network and

AP performance.

Examples

The following command configures a snoop filter named snoop1 that matches on all

traffic, and copies the traffic to the device that has IP address 10.10.30.2:

WSS# set snoop snoop1 observer 10.10.30.2 snap-length 100

The following command configures a snoop filter named snoop2 that matches on all data traffic between the

device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address 11:22:33:44:55:66, and copies

the traffic to the device that has IP address 10.10.30.3:

WSS# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff

11:22:33:44:55:66 observer 10.10.30.3 snap-length 100