First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to decode ERSPAN-without-a-header in Wireshark 2.6 and later?

Hello everyone,

I'm looking for erspan decoding with my pcap capture. I was doing the classical Protocols -> ERSPAN -> Force decode for that purpose, but it seems not present in wireshark anymore. It might be located somewhere else ? But I haven't find any documentation about that change. I tried decoding with my wireshark 2.6.6. (I also opened my capture, and it is not decoded : Was thinking that it could be natively enabled with last releases)

Thanks in advance,

Yoann

Yoyonetwk's avatar
1
Yoyonetwk
asked 2019-04-17 10:30:32 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-04-17 17:51:11 +0000
edit flag offensive 0 remove flag close merge delete

Comments

All that preference does is to force the ERSPAN dissector to assume the packet doesn't begin with an ERSPAN header. It does not, in Wireshark 2.4, force packets to be dissected as ERSPAN.

What does "not decoded" mean?

Guy Harris's avatar Guy Harris (2019-04-17 17:54:36 +0000) edit
more
  • delete

Thanks for your reply. I was blinded by the pcap in general. I’m seeing one packet between each erspan (icmp) from source erspan to my station. It’s an erspan type 1 (deprecated by rfc). I’d like to have a pcap which is more simple without having filtering the file

I can correctly see stuff from my source device which encapsulate data to my device

Yoann

Yoyonetwk's avatar Yoyonetwk (2019-04-17 21:13:21 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I can correctly see stuff from my source device which encapsulate data to my device

So it sounds as if it is dissecting the ERSPAN frames correctly (as type I, which has no ERSPAN header before the Ethernet packet).

The preference was removed because we changed the code to determine for itself whether there's an ERSPAN header or not, rather than requiring the user to specify a preference for that.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-04-17 23:26:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer