cisco erspan id as a filter method?

Question

Hi, I have a single cisco 6500 running two erspan sessions with different erspan id's. I have a server running wireshark as the destination of the erspans. I would like to split the capture into two separate captures based on the erspan id. Is this possible? I cannot seem to find a way to display an erspan id in the gui.

thanks.

Accepted Answer

For the Cisco Erspan dissector, I do see a field labeled "SpanID" with filter name "erspan.spanid".

I would expect that you'd see this field in the GUI.

(You can use tshark with a Read Filter (-R) to filter for packets with a particular spanid or you can use Wireshark to filter as needed and then do "save as: displayed").

Tshark output from a capture file with ERSPAN:

Generic Routing Encapsulation (ERSPAN)
   Flags and Version: 0x1000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...1 .... .... .... = Sequence Number Bit: Yes
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: ERSPAN (0x88be)
    Sequence Number: 1086760
Encapsulated Remote Switch Packet ANalysis
    0001 .... .... .... = Version: Type II (1)
    .... 0000 0110 0101 = Vlan: 101
    110. .... .... .... = Priority: 6
    ...0 .... .... .... = Unknown2: 0
    .... 0... .... .... = Direction: Incoming (0)
    .... .0.. .... .... = Truncated: Not truncated (0)
    .... ..00 0000 0001 = SpanID: 1
    Unknown7: 00084065