Hello !
We're using ERSPAN on Catalyst 3k and Nexus 3k to mirror several VLANs traffic to a virtual monitoring appliance for voice analysis. This works great, as the monitoring application can natively decapsulate ERSPAN and look at the SIP or RTP original packet.
But we also sometimes need to start longer capture sessions, directly via the linux CLI using (until now) the tshark program, usually in a screen session to keep it running during hours or days.
Since we've switched to ERSPAN (we were using a SPAN session from a physical switch interface before, as the monitoring appliance was a physical server), we can't use source and/or destination IP as tshark filters, as the src/dst IPs are always from the two devices on the ERSPAN session (switch mirroring the traffic, appliance receving the mirrored traffic).
We would thus need a tcpdump or tshark filter to match the original IP headers inside the ERSPAN (GRE) packet. I've read many articles (ie. below), but I wasn't able to filter out the wanted traffic yet.
- https://osqa-ask.wireshark.org/questions/9723/capture-an-ip-inside-a-gre-packet
- https://weicode.wordpress.com/2017/11/13/tcpdump-flags/
I've tried the ip[x:y] == hex/decimal value but no luck. I'm not sure why they use 40 as the starting byte for source IP in one article, and 54 in the other though..
And as they are not specifically talking about ERSPAN, I guess I could have a different overhead size too.
If this Is this something you have already done, I would gladly take any pointers you can give me ;)
Thanks !
No comments:
Post a Comment