Wireshark-bugs: [Wireshark-bugs] [Bug 6504] New: Wireshark unable to parse ERSPAN from HP Comwar
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 27 Oct 2011 08:01:55 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6504

           Summary: Wireshark unable to parse ERSPAN from HP Comware
                    platforms
           Product: Wireshark
           Version: 1.6.2
          Platform: x86-64
        OS/Version: Windows 7
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: mnantel@xxxxxxxxx


Created an attachment (id=7321)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7321)
Captured ERSPAN packet

Build Information:
Version 1.6.2 (SVN Rev 38931 from /trunk-1.6)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, without
SMI, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with
Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio V19-devel (built Sep 
7 2011), with AirPcap.

Running on 64-bit Windows 7, build 7600, with WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008),
GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The following configuration is what was applied to a Comware switch with ERSPAN
support. The resulting ERSPAN inbound trafic is attached as a single packet
PCAP file. Comware uses a GRE tunnel as a mirror target to accomplish ERSPAN
functionality. Wireshark reports the below an ERSPAN "unknown version" and
appears to stop parsing due to this. Trafic is being transported over GRE and
wireshark sees windows sending ICMP unreachable since there is GRE listening on
the OS.

#
 service-loopback group 1 type tunnel
#
interface GigabitEthernet1/0/24
 port link-mode bridge
 stp disable
 port service-loopback group 1
#
interface Tunnel0
 ip address 50.1.1.1 255.255.255.0
 source 192.168.90.17
 destination 192.168.90.127
 service-loopback-group 1
 mirroring-group 1 monitor-port
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 mirroring-group 1 mirroring-port both
#

Can you please advise whether a small adjustment could make this work of if
Comware needs to implement this differently?

Thanks,
Mat

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.