Hi All,
I have cisco 2950 switch and mirror all ports on one port now I want to log all data of this mirror port on my Linux system, its preferable to log all data in iptables log form so I can user it in some other work too(how to do that)??? . and what ever I do for this all written below.

1. plug mirror port LAN in my eth0 (linux pc ethernet) and try to log packets which hits eth0 through iptables.
iptables -I INPUT -i eth0 -j LOG --log-prefix "MIRROR-PORT"

but nothing happens,
then I try,
iptables -I INPUT -i ! eth1 -j LOG --log-prefix "MIRROR-PORT2"
still short ammount of packets/ bytes log.
tcpdump shows me thousand of traffic on eth0 but iptables logs only 10 to 20 bytes and packets in 5 to 10 min. (what is going wronge)

Plzz help me. its very very important to solve this issue for me, I am tring to do that since 4 days.

Thanks in Advance.
Rizwan.

You are using iptables, which is not intended to do this. iptables is designed to log locally, pertaining to the local machine. By spanning the port, you have placed the machine in the same broadcast domain (you really haven't, but that is how your machine will view it) as the machine on the spanned port. If your interface is running in promiscuous mode, it will ignore the destination MAC address, buffer and process all frames on the wire. iptables, however, will ignore these requests, because the destination IP is not the one that the kernel is running. If you want to log frames on the wire, you should be exploring the use of the very granular filter options with tcpdump, or even better, ethereal (http://ethereal.org)