Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6504] Wireshark unable to parse ERSPAN from HP Comware pla

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 28 Oct 2011 17:04:51 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6504

--- Comment #7 from Mat <mnantel@xxxxxxxxx> 2011-10-28 17:04:50 PDT ---
I find that you have to filter a bit to make the output cohesive. The lack of a
GRE listener on your common vanilla workstation means that ICMP code 2 keep
being sent back to the switch - just filtering for erspan doesnt cut it. The
following filter isnt totally clean but gets it done:

erspan && !(icmp.code == 2 && ip.dst == 192.168.90.17)

Where the above ip destination is the tunnel source IP of the switch I am
testing this with.

For reference, here is the Comware config that is being used to generate the
ERSPAN to my workstation. This was tested on a 5800-24, but I suspect it will
work for all platforms which support mirroring to an L3 interface, which is
what the developers appear to associate with ERSPAN functionality.


#
mirroring-group 1 local
#
service-loopback group 1 type tunnel
#
interface GigabitEthernet1/0/2
port link-mode bridge
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/24
port link-mode bridge
stp disable
port service-loopback group 1
#
interface Tunnel0
ip address 50.1.1.1 255.255.255.0
source 192.168.90.17
destination 192.168.90.138
service-loopback-group 1
mirroring-group 1 monitor-port
#

The inner tunnel IP can be an arbitrary unused IP - it is not used in any way
in this usage of GRE. Comware requires that GRE tunnels be bound to a "service
loopback group", which is some kind of construct that needs to be bound to a
physical interface to work. I dont know whether it prevents the port from being
used for anything else.

I guess one could leave a leftover tunnel on switches which could be
reconfigured on the spot to emit an ERSPAN to a destination. Ideally Comware
would not require this kludge and would instead have a special "erspan" tunnel
type which would be a GRE with an inner IP that doesnt get published in the
routing tables.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube