When I first looked at the documentation for ERSPAN I could imagine some uses for it. In some cases it could replace RSPAN, but since it’s only available on Cisco Nexus switches, newer Catalyst 6500s, Cisco ASR routers, and other “high end” devices, I determined that it really had limited uses.
But I was wrong. Very wrong. ERSPAN is awesome and in this article, I’ll show you why.
What is ERSPAN?
Here’s a quick overview. ERSPAN is an acronym that stands for encapsulated remote switched port analyzer. ERSPAN mirrors traffic on one or more “source” ports and delivers the mirrored traffic to one or more “destination” ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is, therefore, routable across a layer 3 network between the “source” switch and the “destination” switch. This works great if you have a dedicated system running a packet sniffer — e.g. Wireshark — connected to an ERSPAN-capable “destination” switch, but what if you don’t?
But There’s an Easier Way . . .
This is where my new favorite trick comes in. When configuring the IP address of the destination, what happens if you simply enter the IP address of your own PC? Yes, all of the encapsulated mirrored traffic is sent to your PC’s IP address. With a simple capture filter setup in Wireshark you can limit your captured packets only to GRE packets. Now you’re only seeing the mirrored traffic. But it gets better. Wireshark is very smart. It realizes that the traffic is encapsulated and automatically displays the “real” source and destination IP addresses of the captured traffic, not the source switch’s IP address and your PC’s (destination) IP address. As a bonus, if you’re sniffing a VLAN trunk, the 802.1Q tags are also captured in the ERSPAN header info.
So How Do I Configure This?
First configure your “source” switch. On a Cisco Nexus 7000 Series switch it looks like this:
monitor session 1 type erspan-source
description ERSPAN direct to Sniffer PC
erspan-id 32 # required, # between 1-1023
vrf default # required
destination ip 10.1.2.3 # IP address of Sniffer PC
source interface port-channel1 both # Port(s) to be sniffed
filter vlan 3900 # limit VLAN(s) (optional)
no shut # enable
monitor erspan origin ip-address 10.1.2.1 global
On your Sniffer PC running Wireshark, you’ll want to configure a Capture Filter that limits the captured traffic to IP Protocol number 47, which is GRE. 47 in HEX is 2F, so the capture filter for this is ip proto 0x2f.
Lastly, start your capture. You should see something like this:
Notice that you can even see the VLAN tag (Vlan: 3900) in the ERSPAN header. This is an advantage over RSPAN, which strips off any 802.1Q tags, because it cannot transport them.
This trick works from any ERSPAN-capable switch including all of the Cisco Nexus switches as well as some Catalyst switches and Cisco routers. Here’s the best part: It also works with the Cisco Nexus 1000V.* That’s right. You can capture traffic from a virtual guest OS running in VMWare or HyperV by simply setting the guest OS’s respective Vethernet port as the “source” of your ERSPAN session and your PC’s IP address as the “destination.”
And that’s why ERSPAN is my new favorite packet capturing trick.