Packet Pushers

Where Too Much Technology Would Be Barely Enough

  • Podcasts
    • Day Two Cloud
    • Full Stack Journey
    • Heavy Networking
    • Heavy Strategy
    • Heavy Wireless
    • IPv6 Buzz
    • Kubernetes Unpacked
    • Network Break
    • Tech Bytes
    • The Community Show
    • Datanauts (Retired)
    • Priority Queue (Retired)
  • Hosts
  • Articles
    • Tech Blogs
    • Industry News
    • Books And Whitepapers
    • Toolbox – IT Resource Collections
  • Library
  • Newsletter
  • Slack
  • Subscribe
  • Sponsor
You are here: Home / Blogs / ERSPAN – My New Favorite Packet Capturing Trick

ERSPAN – My New Favorite Packet Capturing Trick

Gary Sckolnick June 25, 2014

When I first looked at the documentation for ERSPAN I could imagine some uses for it. In some cases it could replace RSPAN, but since it’s only available on Cisco Nexus switches, newer Catalyst 6500s, Cisco ASR routers, and other “high end” devices, I determined that it really had limited uses.

But I was wrong. Very wrong. ERSPAN is awesome and in this article, I’ll show you why.

What is ERSPAN?

Here’s a quick overview.  ERSPAN is an acronym that stands for encapsulated remote switched port analyzer. ERSPAN mirrors traffic on one or more “source” ports and delivers the mirrored traffic to one or more “destination” ports on another switch. The traffic is encapsulated in generic routing encapsulation (GRE) and is, therefore, routable across a layer 3 network between the “source” switch and the “destination” switch. This works great if you have a dedicated system running a packet sniffer — e.g. Wireshark — connected to an ERSPAN-capable “destination” switch, but what if you don’t?

But There’s an Easier Way . . .

This is where my new favorite trick comes in. When configuring the IP address of the destination, what happens if you simply enter the IP address of your own PC? Yes, all of the encapsulated mirrored traffic is sent to your PC’s IP address. With a simple capture filter setup in Wireshark you can limit your captured packets only to GRE packets. Now you’re only seeing the mirrored traffic. But it gets better. Wireshark is very smart. It realizes that the traffic is encapsulated and automatically displays the “real” source and destination IP addresses of the captured traffic, not the source switch’s IP address and your PC’s (destination) IP address. As a bonus, if you’re sniffing a VLAN trunk, the 802.1Q tags are also captured in the ERSPAN header info.

So How Do I Configure This?

First configure your “source” switch. On a Cisco Nexus 7000 Series switch it looks like this:


monitor session 1 type erspan-source
description ERSPAN direct to Sniffer PC
erspan-id 32                              # required, # between 1-1023
vrf default                               # required
destination ip 10.1.2.3                   # IP address of Sniffer PC
source interface port-channel1 both       # Port(s) to be sniffed
filter vlan 3900                          # limit VLAN(s) (optional)
no shut                                   # enable

monitor erspan origin ip-address 10.1.2.1 global


 

On your Sniffer PC running Wireshark, you’ll want to configure a Capture Filter that limits the captured traffic to IP Protocol number 47, which is GRE. 47 in HEX is 2F, so the capture filter for this is ip proto 0x2f.

WireShark_edit_int_settings

 

Lastly, start your capture. You should see something like this:

Wireshark ERSPAN Capture

Notice that you can even see the VLAN tag (Vlan: 3900) in the ERSPAN header. This is an advantage over RSPAN, which strips off any 802.1Q tags, because it cannot transport them.

Bonus

This trick works from any ERSPAN-capable switch including all of the Cisco Nexus switches as well as some Catalyst switches and Cisco routers. Here’s the best part: It also works with the Cisco Nexus 1000V.* That’s right. You can capture traffic from a virtual guest OS running in VMWare or HyperV by simply setting the guest OS’s respective Vethernet port as the “source” of your ERSPAN session and your PC’s IP address as the “destination.”

And that’s why ERSPAN is my new favorite packet capturing trick.

* some assembly required

About Gary Sckolnick

Comments

  1. Matt Thompson says

    June 25, 2014 at 9:55 pm

    Nice write up Gary.

    It seems you could easily set up a machine in a management network as the capture device and ERSPAN any device’s traffic under your control back to there.

  2. Jim MacLeod says

    June 25, 2014 at 10:02 pm

    VMware claims that ERSPAN is also supported in NSX.

    Additionally, while Open vSwitch doesn’t support ERSPAN per se, it does support remote packet capture over GRE, which is nearly functionally equivalent. (ERSPAN also has support for remote timestamping – it’s not clear whether this is present in the Open vSwitch implementation.)

    • Anthony Burke says

      June 25, 2014 at 10:19 pm

      Hi Jim,

      ERSPAN is actually a function of the Distributed vSwitch thanks to ESX 5.5. Therefore it is supported within NSX due to being baked into the ESX 5.5 version.

      Awesome stuff. Great write up.

      *Disclaimer – I work for VMware in the Network Security Business Unit (NSX team)

      • SS says

        March 1, 2016 at 7:09 pm

        ERSPAN header is not exactly same as L2GRE header. ERSPAN also has span-id in the header. Question on ESX 5.5 – does it do ERSPAN or L2GRE?

        • Tim Schroeder says

          February 13, 2018 at 10:15 pm

          ESX 5.5 only uses L2GRE, and does *NOT* support ERSPAN. ESX 6.0 and onwards DOES support ERSPAN which is an extension to GRE and includes Cisco additions such as Vlan tag and Span ID. Which means with 5.5 you cannot mirror packets from VDS to, say, a Cisco router because the Cisco router expects the ERSPAN header. You can however terminate the L2GRE from an ESX 5.5 system on Wireshark, or a Linux box, or certain Cisco IOS “XE”-based products like the ASR 1000 series or the 4500-series.

  3. Fernando Cardoso says

    July 14, 2014 at 6:53 pm

    ERSPAN is amazing but in my labs I couldn’t receive the proper traffic because my swiches uses VPC.

    If anyone have a successfully use VPC and RSPAN please share 🙂

    • Mark says

      August 23, 2015 at 6:07 pm

      In our lab, we have a VPC as well. As a result, we just set up ERSPAN on both members of the VPC so both VPC port channels were covered. Both monitor sessions directed the traffic to the same PC running wireshark. We were able to determine the origin of the traffic based on the source IP ( that is , we knew which monitor session sent the frame to the PC ).

  4. justfly says

    August 14, 2014 at 7:27 am

    An excellent article, thanks a lot Gary!

  5. Daniel Z says

    September 30, 2014 at 8:06 pm

    If anyone interested in packet capturing by stripping the GRE headers try GULP http://staff.washington.edu/corey/gulp/ (check the documents for 64 bit systems). It needs patching however for VMware, the GRE_HDRLEN definition should be 42 instead of Cisco’s 50 at the top of gulp.c file.
    This way you can set up your tcpdump/wireshark capture filters for the real insteresting inner contents.
    I have made a patch, which adds a new command line option to set custom header length, so you could use the same binary for Cisco and VMware as well, if anyone is interested I can paste it here.

    • KC says

      October 8, 2014 at 10:22 am

      please paste the patch,thank you.
      I’ve searched it for long time.

      • Daniel Z says

        October 14, 2014 at 3:41 pm

        Here is the patch I made: http://goo.gl/0SkgKA

  6. Jeroen van Ingen says

    October 29, 2014 at 1:40 pm

    Besides capturing with Wireshark or stripping the ERSPAN headers with GULP, there’s another tool to (re)process ERSPAN: “rcdcap” (http://sourceforge.net/projects/rcdcap/). RCDCAP can write capture files but it can also strip the ERSPAN header, reconstruct or strip the VLAN header and then copy the traffic to another interface: regular Ethernet, veth pair, etcetera. It also supports HP ProCurve’s proprietary remote span feature based on UDP encapsulation and was designed for extensibility. Other remote capture protocols may be added later.

    Just plugging it here, I’ve used it many times after my employer (a Dutch uni) had it written.

    • Sanna says

      January 6, 2016 at 2:23 am

      my team have a problem of installing this RCDcap on a Linux system, can you give me some tips on installation?

  7. dakine says

    August 30, 2015 at 2:27 pm

    Is there a way to ENCAPSULATE traffic into an ERSPAN tunnel without using a cisco device? What if I wanted to source ERSPAN traffic from a Linux host instead of a switch?

  8. Warren Sullivan says

    August 8, 2017 at 5:47 am

    Hi Guys,

    for the linux noobs using windows……thats me, i created a short video on how to strip the ERSPAN headers off the packet capture using wireshark natively;

    https://www.youtube.com/watch?v=JuZ8bv0qc6E

    • NBAC says

      November 7, 2017 at 3:05 pm

      NICE video!
      But how to determine the offset value. In my example “38” seems wrong …

  9. JG says

    August 24, 2017 at 3:02 pm

    Unfortunately it looks like this works ONLY on the default VDC 🙁
    I tried it here but since we are in another VDC this is what i get at the end (very disappointing!):

    HOSTNAME(config)# monitor erspan origin ip-address 10.29.92.253
    ERROR: Per VDC origin IP not supported. Please use global mode
    HOSTNAME(config)# monitor erspan origin ip-address 10.29.92.253 global
    ERROR: Global origin IP config possible only in default VDC

    Nice chicken and egg situation? Any ideas?
    Thanks!

  10. Marco says

    February 6, 2018 at 10:32 am

    An example Wireshark capture Filter for filtering IP host addresses within an ERSPAN Session from Cisco ACI:

    ip proto 0x2f and ((ip[54:4]==0x0A7B7B7B) or (ip[58:4]==0x0A7B7B7B))

    0x0A7B7B7B represents an IP address in HEX format. In this case 10.123.123.123

    Important: The offset (54 / 58 in my example) can change. E.g ACI is sending a VLAN Tag within the ERSPAN Session. If you mirror traffic without a VLAN tag, you have to lower the numbers by 4. It also changes if there are IP options within the outer IP header. Offset seems to be stable as long as you don’t change the port mirror configuration on your switch. -> Always check the offset before start capturing your data.

    • Mate says

      October 9, 2018 at 5:37 pm

      Thanks Gary and Marco,
      this worked for me with a twist, I used the ether[offset:lenght] filter instead of ip.

    • hatim says

      October 15, 2018 at 6:43 pm

      Hello

      How can i filter the capture with a specific MAC. i want to capture only LACP a L2 protocol
      Thanks

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

RSS Day Two Cloud

  • D2C226: Creating An Effective Cloud Migration Strategy December 20, 2023

RSS Full Stack Journey

  • The Final Journey Of Full Stack Journey October 31, 2023

RSS Heavy Networking

  • HN714: Building The Branch Of The Future With SASE Powered By AI (Sponsored) December 15, 2023

RSS Heavy Strategy

  • HS061 What is IT Training or Education December 19, 2023

RSS Heavy Wireless

  • HW017: The Story Behind The CWNA Study Guide December 12, 2023

RSS IPv6 Buzz

  • IPB141: IPv6 End Of Year Wrap-Up  December 14, 2023

RSS Kubernetes Unpacked

  • KU043: How (& Why) To Contribute To The Kubernetes Release Team December 14, 2023

RSS Network Break

  • NB460: VMware Ditches Perpetual Licenses; GenAI Is Coming To Network Ops December 18, 2023

RSS Tech Bytes

  • Tech Bytes: Fortinet Advisor Brings GenAI To Support SecOps Teams (Sponsored) December 18, 2023

RSS YouTube

  • Creating An Effective Cloud Migration Strategy December 20, 2023

Recent Comments

  • Robin Grindley on NB458: Broadcom Debuts On-Chip Neural Net, Lays Off VMware Staff; Okta Breach Gets Worse
  • Eduardo Barrios on HW015: What Every Wi-Fi Pro Needs To Know About Private LTE
  • Kentzo on IPB139: Avoiding Typical IPv6 Pitfalls
  • Jeff Cameron on NB457: Broadcom, VMware Tie The Knot; Nvidia SuperNICs Target AI Ethernet Acceleration
  • Ronny Aasen on HS027 Broadcom and VMware – What’s Gonna Happen?
  • Seth Lane on 3 Takeaways From AutoCon0

PacketPushers Podcast

  • Heavy Networking
  • Day Two Cloud
  • Network Break
  • Briefings In Brief & Tech Bytes
  • Full Stack Journey
  • IPv6 Buzz
  • Community Podcast
  • Heavy Strategy
  • Priority Queue (Retired)
  • Datanauts (Retired)

PacketPushers Articles

  • All the News & Blogs
  • Only the Latest News
  • Only the Community Blogs
  • Virtual Toolbox

Search

Website Information

  • Frequently Asked Questions
  • Subscribe
  • Sponsorship
  • Meet The Hosts
  • Pitch Us
  • Privacy Policy
  • Website Terms

Connect

  • Contact The Packet Pushers
  • Join Our Slack Group
  • Subscribe To Podcasts
  • Subscribe To Newsletter
  • Become A Sponsor
  • Facebook
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

© Copyright 2023 Packet Pushers Interactive, LLC · All Rights Reserved