This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strip ERSPAN Header from output?

0

Hi Guys

I have a pcapng file captured from an ERSPAN session, i need to strip the ERSPAN header from all packets so i can view the encapsulated packet properly in Steelhead Packet Analyzer.

I looked at editcap.exe but the -C option seemed to malform the packets as opposed to striping the header off.

Any ideas?

Thanks for any help you can offer

asked 19 Oct '15, 18:04

Warren%20Sullivan's gravatar image

Warren Sullivan
6113
accept rate: 0%


2 Answers:

0

Well, it looks like your traces are broken. There is a GRE header with Protocol type set to 0x88be, but instead of a ERSPAN header following it there is Ethernet right away. So the ERSPAN header is missing, and the decode fails for any tool that tries. Looks like the device doing your ERSPAN doesn't know it's RFCs :-)

You can fix your capture by running this editcap command, cutting away the leading 38 bytes before the second Ethernet header:

editcap -C 38 pcap.pcap pcap_edited.pcap

Worked for me with your sample.

answered 20 Oct '15, 17:35

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Perfect! works a treat! thankyou soooo much for your help!

(20 Oct '15, 18:04) Warren Sullivan

0

so i can view the encapsulated packet properly in Steelhead Packet Analyzer.

If you would use Wireshark to view the frames, you would not have to strip the ERSPAN header! ;-)

BTW: I wonder why SteelCentral Packet Analyzer is unable to view those frames !?!

Sample file:

https://github.com/securactive/junkie/blob/master/tests/pcap/gre/erspan.pcap

Solution: Is you really want to strip the ERSPAN 'headers', please read my answer to a similar question:

https://ask.wireshark.org/questions/9180/strip-off-gtp-headers

The following command should remove everything related to ERSPAN (including outer eth/ip/etc.)

bittwiste -I erspan.pcap -O no_erspan.pcap -D 1-50

This works with the sample file on github.com.

Regards
Kurt

answered 20 Oct '15, 03:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Oct '15, 03:41

Thanks!

OK i may need to add some detail, i need to strip the header so steelcentral can see the inner DSCP markings and create a nice little pie graph of all DSCP markings in the capture, at the moment it only sees BE or best effort, as that is the CS marking on the outer ERSPAN header.

So i tried bittwist but no luck, came up with this;

C:\Temp\bittwist-win-2.0\bittwist-win-2.0\src>bittwiste -I "c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng" -O no_erspan.pcap -D 1-50 0 [main] bittwiste 6864 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to the public mailing list [email protected] input file: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng cygwin warning: MS-DOS style path detected: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng Preferred POSIX equivalent is: /cygdrive/c/Users/ws2593/Desktop/QOS/raw 7million packets.pcapng CYGWIN environment variable option "nodosfilewarning" turns off this warning. Consult the user's guide for more details about POSIX paths: http://cygwin.com/cygwin-ug-net/using.html#using-pathnames output file: no_erspan.pcap bittwiste: c:\Users\ws2593\Desktop\QOS\raw 7million packets.pcapng is not a valid pcap based trace file

(20 Oct '15, 04:06) Warren Sullivan

It works on my Windows 7 system. Looks like there is a problem with your Cywin environment.

I downloaded an older version, including the Cygwin DLLs from this location:

http://www.lovemytool.com/blog/2011/05/bittwiste-pcap-capture-file-editor-by-joke-snelders.html

(20 Oct '15, 07:59) Kurt Knochner ♦

OK, i couldnt deal with the pcapng extension, so i saved a capture as a pcap from within wireshark, ran it on a smaller file and it worked (read - it performed a function) but it has messed up the packet, ill see if i can attach or upload the pre and post processed captures....

https://onedrive.live.com/redir?resid=B59E85C305951CF1!90306&authkey=!AOHCiiz98HLPcII&ithint=folder%2c

thanks heaps for your help thus far!!!

(20 Oct '15, 15:32) Warren Sullivan

Try TraceWrangler, I added handling of ERSPAN layers today, so if you add an "Edit" task and chose to strip GRE, it will also remove ERSPAN if it finds it. At least it worked for the trace I have.

Get the automated build here: https://www.tracewrangler.com/download/automated/

(20 Oct '15, 16:31) Jasper ♦♦

Hi Jasper,

I tried tracewrangler last night to no avail, i tried your new build just now but no luck, can you use my pcap file below to test? It doesnt remove the GRE header or the ERSPAN header, in fact it actually increases the file size! hehe

https://onedrive.live.com/redir?resid=B59E85C305951CF1!90304&authkey=!APq7eLArEBnXmtw&ithint=file%2cpcap

Thanks for your help so far!

(20 Oct '15, 16:59) Warren Sullivan

Hm, that's because it uses an ERSPAN version I haven't seen so far. I need to adjust my parser for that, which may take a while. Even Wireshark 1.12.8 doesn't decode it correctly for me. Interesting.

(20 Oct '15, 17:23) Jasper ♦♦

By the way, just stumbled across this page while researching ERSPAN encapsulation types, maybe it helps:

http://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/

It also points to a tool at Sourceforge:

http://sourceforge.net/projects/rcdcap/

(20 Oct '15, 17:27) Jasper ♦♦
showing 5 of 7 show 2 more comments