iopmoo.blogg.se

Notice that you can even see the VLAN tag (Vlan: 3900) in the ERSPAN header. 47 in HEX is 2F, so the capture filter for this is ip proto 0x2f. On your Sniffer PC running Wireshark, you’ll want to configure a Capture Filter that limits the captured traffic to IP Protocol number 47, which is GRE. Monitor erspan origin ip-address 10.1.2.1 global Source interface port-channel1 both # Port(s) to be sniffedįilter vlan 3900 # limit VLAN(s) (optional) On a Cisco Nexus 7000 Series switch it looks like this:Įrspan-id 32 # required, # between 1-1023ĭestination ip 10.1.2.3 # IP address of Sniffer PC So How Do I Configure This?įirst configure your “source” switch. As a bonus, if you’re sniffing a VLAN trunk, the 802.1Q tags are also captured in the ERSPAN header info. It realizes that the traffic is encapsulated and automatically displays the “real” source and destination IP addresses of the captured traffic, not the source switch’s IP address and your PC’s (destination) IP address. Now you’re only seeing the mirrored traffic.

With a simple capture filter setup in Wireshark you can limit your captured packets only to GRE packets. When configuring the IP address of the destination, what happens if you simply enter the IP address of your own PC? Yes, all of the encapsulated mirrored traffic is sent to your PC’s IP address. This is where my new favorite trick comes in. Wireshark - connected to an ERSPAN-capable “destination” switch, but what if you don’t? But There’s an Easier Way. This works great if you have a dedicated system running a packet sniffer - e.g. The traffic is encapsulated in generic routing encapsulation (GRE) and is, therefore, routable across a layer 3 network between the “source” switch and the “destination” switch. ERSPAN mirrors traffic on one or more “source” ports and delivers the mirrored traffic to one or more “destination” ports on another switch. ERSPAN is an acronym that stands for encapsulated remote switched port analyzer. ERSPAN is awesome and in this article, I’ll show you why. In some cases it could replace RSPAN, but since it’s only available on Cisco Nexus switches, newer Catalyst 6500s, Cisco ASR routers, and other “high end” devices, I determined that it really had limited uses.īut I was wrong. When I first looked at the documentation for ERSPAN I could imagine some uses for it.