Dears, I have a setup in the lab where I have configured ERSPAN on Cisco ACI Fabric which pretty similar to ERSPAN on Nexus switches 7k or 5K , I got the capture where I can see only the outer header for the packets but it's not helpful. So I want to decapsulate/decode the ERSPAN packets where I can see the inner header for the captured pkts. I am using Wireshark 1.12.7 on windows 2008 server. it worth mentioning too that both source and destination are VMs. I have attached a snapshot for the captured packets from wireshark. How is this can be achieved ? I am looking for a decoder integrated with wireshark ? Regards Mohammed ElSherbiny asked 11 Oct '15, 02:58  mohammedelsh... |
One Answer:
choose „Preferences > Protocols > ERSPAN“ select “Force to decode fake ERSPAN frame” answered 19 Jun '17, 03:33  briantilburgs |
Did you try setting the Erspan preference "FORCE to decode fake ERSPAN frame" to TRUE (as suggested in the expert message and which may or may not be helpful) ?
If setting the preference doesn't work, examining the capture will probably be the best way for us to help you.
Can you provide the capture ? (Upload it to something like dropbox) and provide a link here.
I have the same problem although it was solved in the client by applying the "Force to decode fake ERSPAN" option. Does anyone know if/how this is possible using TSHARK?
Yes, you can add
-o erspan.fake_erspan:TRUEto your tshark command.