Best practices for remote traffic monitoring, Configuring a snoop filter – 3Com WX4400 3CRWX440095A User Manual
Page 639

Remotely Monitoring Traffic
639
Best Practices for
Remote Traffic
Monitoring
Do not specify an observer that is associated with the MAP where the 
snoop filter is running. This configuration causes an endless cycle of 
snoop traffic.
If the snoop filter is running on a Distributed MAP, and the MAP used 
a DHCP server in its local subnet to configure its IP information, and 
the MAP did not receive a default router (gateway) address as a result, 
the observer must also be in the same subnet. Without a default 
router (gateway), the MAP cannot find the observer. 
The MAP that is running a snoop filter forwards snooped packets 
directly to the observer. This is a one-way communication, from the 
MAP to the observer. If the observer is not present, the MAP still sends 
the snoop packets, which use bandwidth. If the observer is present 
but is not listening to TZSP traffic, the observer continuously sends 
ICMP error indications back to the MAP. These ICMP messages can 
affect network and MAP performance. 
To inform you of this condition, MSS generates a log message such as the 
following the first time an ICMP error message is received following the 
start of a snoop filter:
MAP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 
10.10.101.2 is not accepting TZSP packets
To prevent ICMP error messages from the observer, 3Com recommends 
using the Netcat application on the observer to listen to UDP packets on 
the TZSP port. 
Configuring a Snoop
Filter
To configure a snoop filter, use the following command:
set snoop filter-name [condition-list] [observer ip-addr] 
[snap-length num]
The filter-name can be up to 15 alphanumeric characters.
The condition-list specifies the match criteria for packets. Conditions in 
the list are ANDed. Therefore, to be copied and sent to an observer, a 
packet must match all criteria in the condition-list. You can specify up to 
eight of the following conditions in a filter, in any order or combination:
frame-type {eq | neq} {beacon | control | data | management | 
probe}
channel {eq | neq} channel
bssid {eq | neq} bssid
