This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

cisco erspan id as a filter method?

0

Hi, I have a single cisco 6500 running two erspan sessions with different erspan id's. I have a server running wireshark as the destination of the erspans. I would like to split the capture into two separate captures based on the erspan id. Is this possible? I cannot seem to find a way to display an erspan id in the gui.

thanks.

asked 11 Mar '12, 19:11

jonno's gravatar image

jonno
6113
accept rate: 0%


One Answer:

1

For the Cisco Erspan dissector, I do see a field labeled "SpanID" with filter name "erspan.spanid".

I would expect that you'd see this field in the GUI.

(You can use tshark with a Read Filter (-R) to filter for packets with a particular spanid or you can use Wireshark to filter as needed and then do "save as: displayed").

Tshark output from a capture file with ERSPAN:

Generic Routing Encapsulation (ERSPAN)
   Flags and Version: 0x1000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...1 .... .... .... = Sequence Number Bit: Yes
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: ERSPAN (0x88be)
    Sequence Number: 1086760
Encapsulated Remote Switch Packet ANalysis
    0001 .... .... .... = Version: Type II (1)
    .... 0000 0110 0101 = Vlan: 101
    110. .... .... .... = Priority: 6
    ...0 .... .... .... = Unknown2: 0
    .... 0... .... .... = Direction: Incoming (0)
    .... .0.. .... .... = Truncated: Not truncated (0)
    .... ..00 0000 0001 = SpanID: 1
    Unknown7: 00084065

answered 11 Mar '12, 19:38

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 11 Mar '12, 19:41

thanks, looking at it, I can use the "erspand.id == " in the gui filter. I had a problem where I was using erspan packets with the first 50 bytes chopped, so I couldn't see it :)

(11 Mar '12, 20:36) jonno