Hi Guys I have a pcapng file captured from an ERSPAN session, i need to strip the ERSPAN header from all packets so i can view the encapsulated packet properly in Steelhead Packet Analyzer. I looked at editcap.exe but the -C option seemed to malform the packets as opposed to striping the header off. Any ideas? Thanks for any help you can offer asked 19 Oct '15, 18:04  Warren Sullivan |
2 Answers:
Well, it looks like your traces are broken. There is a GRE header with Protocol type set to 0x88be, but instead of a ERSPAN header following it there is Ethernet right away. So the ERSPAN header is missing, and the decode fails for any tool that tries. Looks like the device doing your ERSPAN doesn't know it's RFCs :-) You can fix your capture by running this editcap command, cutting away the leading 38 bytes before the second Ethernet header: editcap -C 38 pcap.pcap pcap_edited.pcap Worked for me with your sample. answered 20 Oct '15, 17:35  Jasper ♦♦ |
If you would use Wireshark to view the frames, you would not have to strip the ERSPAN header! ;-) BTW: I wonder why SteelCentral Packet Analyzer is unable to view those frames !?! Sample file:
Solution: Is you really want to strip the ERSPAN 'headers', please read my answer to a similar question:
The following command should remove everything related to ERSPAN (including outer eth/ip/etc.)
This works with the sample file on github.com. Regards answered 20 Oct '15, 03:41  Kurt Knochner ♦ edited 20 Oct '15, 03:41 Thanks! OK i may need to add some detail, i need to strip the header so steelcentral can see the inner DSCP markings and create a nice little pie graph of all DSCP markings in the capture, at the moment it only sees BE or best effort, as that is the CS marking on the outer ERSPAN header. So i tried bittwist but no luck, came up with this; C:\Temp\bittwist-win-2.0\bittwist-win-2.0\src>bittwiste -I "c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng" -O no_erspan.pcap -D 1-50 0 [main] bittwiste 6864 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to the public mailing list [email protected] input file: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng cygwin warning: MS-DOS style path detected: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng Preferred POSIX equivalent is: /cygdrive/c/Users/ws2593/Desktop/QOS/raw 7million packets.pcapng CYGWIN environment variable option "nodosfilewarning" turns off this warning. Consult the user's guide for more details about POSIX paths: http://cygwin.com/cygwin-ug-net/using.html#using-pathnames output file: no_erspan.pcap bittwiste: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng is not a valid pcap based trace file (20 Oct '15, 04:06) Warren Sullivan It works on my Windows 7 system. Looks like there is a problem with your Cywin environment. I downloaded an older version, including the Cygwin DLLs from this location:
(20 Oct '15, 07:59) Kurt Knochner ♦ OK, i couldnt deal with the pcapng extension, so i saved a capture as a pcap from within wireshark, ran it on a smaller file and it worked (read - it performed a function) but it has messed up the packet, ill see if i can attach or upload the pre and post processed captures.... thanks heaps for your help thus far!!! (20 Oct '15, 15:32) Warren Sullivan Try TraceWrangler, I added handling of ERSPAN layers today, so if you add an "Edit" task and chose to strip GRE, it will also remove ERSPAN if it finds it. At least it worked for the trace I have. Get the automated build here: https://www.tracewrangler.com/download/automated/ (20 Oct '15, 16:31) Jasper ♦♦ Hi Jasper, I tried tracewrangler last night to no avail, i tried your new build just now but no luck, can you use my pcap file below to test? It doesnt remove the GRE header or the ERSPAN header, in fact it actually increases the file size! hehe Thanks for your help so far! (20 Oct '15, 16:59) Warren Sullivan Hm, that's because it uses an ERSPAN version I haven't seen so far. I need to adjust my parser for that, which may take a while. Even Wireshark 1.12.8 doesn't decode it correctly for me. Interesting. (20 Oct '15, 17:23) Jasper ♦♦ By the way, just stumbled across this page while researching ERSPAN encapsulation types, maybe it helps: http://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/ It also points to a tool at Sourceforge: (20 Oct '15, 17:27) Jasper ♦♦ showing 5 of 7 show 2 more comments |
Perfect! works a treat! thankyou soooo much for your help!