First of all, you need to know what ports you want to monitor (mirror). For me it happened to be both of the ports attached to the two load-balanced firewalls. So, I need both of the ports mirrored to a single monitoring port that my laptop is hooked up to.
Here's how:
4507#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
4507(config)#monitor session 1 source interface g2/40
4507(config)#monitor session 1 source interface g2/42
The two monitor commands above tell the switch which ports I want to capture traffic on. These are my two firewall ports. Now, I need to tell it where to mirror the traffic:
4507(config)#monitor session 1 destination interface g2/9
If you are running these commands from a device attached to port g2/9, you will immediately lose connection with the switch, because the port is no longer accepting traffic from your device and is just sending out everything from the two source ports. If you run your packet capture software it should go crazy with traffic, and you can start tracking down your bandwidth hog.
We can verify that the monitoring (mirroring) is set up correctly with this command (drop the "do" if you aren't in configuration mode):
4507(config)#do show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi2/40,Gi2/42
Destination Ports : Gi2/9
Encapsulation : Native
Ingress : Disabled
Learning : Disabled
Filter Pkt Type :
RX Only : Good
When you're done, don't forget to run the following command to remove your monitoring session:
SCH0C1(config)#no monitor session 1
That's all there is to it!
