Wireshark-bugs: [Wireshark-bugs] [Bug 5244] Add Dissector for ERSPAN Type-III Header
Date: Fri, 24 Sep 2010 08:47:11 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5244

--- Comment #16 from Jason Masker <jason@xxxxxxxxxx> 2010-09-24 08:46:57 PDT ---
Created an attachment (id=5212)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5212)
Capture for ERSPAN header comparison

Here is a sample capture to help with comparing the three different header
types I am seeing. (And also a wonderful example of why I love ERSPAN :D)

I set up 3 simultaneous captures of an ICMP echo & response stream. The capture
shows this repeated echo and response between two hosts, but you see each
packet 3 times. I set up the following:

On a Catalyst 6500:
Session 2
---------
Type                   : ERSPAN Source Session
Status                 : Admin Disabled
Source VLANs           :
    Both               : 1254
Destination IP Address : 10.0.33.13
Destination ERSPAN ID  : 111
Origin IP Address      : 10.0.15.255

On a Nexus 1000v:

   session 2
---------------
type              : erspan-source
state             : up
source intf       :
    rx            : Veth21
    tx            : Veth21
    both          : Veth21
source VLANs      :
    rx            :
    tx            :
    both          :
filter VLANs      : filter not specified
destination IP    : 10.0.33.13
ERSPAN ID         : 222
ERSPAN TTL        : 64
ERSPAN IP Prec.   : 0
ERSPAN DSCP       : 0
ERSPAN MTU        : 1500
ERSPAN Header Type: 2

   session 3
---------------
type              : erspan-source
state             : up
source intf       :
    rx            : Veth21
    tx            : Veth21
    both          : Veth21
source VLANs      :
    rx            :
    tx            :
    both          :
filter VLANs      : filter not specified
destination IP    : 10.0.33.13
ERSPAN ID         : 333
ERSPAN TTL        : 32
ERSPAN IP Prec.   : 1
ERSPAN DSCP       : 8
ERSPAN MTU        : 1500
ERSPAN Header Type: 3


You can identify which packets are coming from which captures by the erspan id.
You will find all three vary slightly in the headers.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.