You can capture traffic from a virtual guest OS running in VMWare or HyperV by simply setting the guest OS’s respective Vethernet port as the “source” of your ERSPAN session and your PC’s IP address as the “destination.”Īnd that’s why ERSPAN is my new favorite packet capturing trick. Here’s the best part: It also works with the Cisco Nexus 1000V.* That’s right. This trick works from any ERSPAN-capable switch including all of the Cisco Nexus switches as well as some Catalyst switches and Cisco routers. This is an advantage over RSPAN, which strips off any 802.1Q tags, because it cannot transport them. Notice that you can even see the VLAN tag (Vlan: 3900) in the ERSPAN header. 47 in HEX is 2F, so the capture filter for this is ip proto 0x2f. On your Sniffer PC running Wireshark, you’ll want to configure a Capture Filter that limits the captured traffic to IP Protocol number 47, which is GRE. Monitor erspan origin ip-address 10.1.2.1 global Source interface port-channel1 both # Port(s) to be sniffedįilter vlan 3900 # limit VLAN(s) (optional) Apart from that similar questions and answers are easy to find using a search engine. On a Cisco Nexus 7000 Series switch it looks like this:Įrspan-id 32 # required, # between 1-1023ĭestination ip 10.1.2.3 # IP address of Sniffer PC wireshark Share Improve this question Follow asked at 5:00 user1865775 41 1 2 1 Capturing traffic is not a security specific question, i.e. host 172.18.5.4 Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0 Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0 Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255. So How Do I Configure This?įirst configure your “source” switch. As a bonus, if you’re sniffing a VLAN trunk, the 802.1Q tags are also captured in the ERSPAN header info. When capturing network traffic of a VM running in NAT mode with Wireshark, the IP address 10.0.2.2 will be used to represent the host machine. It realizes that the traffic is encapsulated and automatically displays the “real” source and destination IP addresses of the captured traffic, not the source switch’s IP address and your PC’s (destination) IP address. Now you’re only seeing the mirrored traffic. With a simple capture filter setup in Wireshark you can limit your captured packets only to GRE packets. Variables Values supplied by users in the required format. For example, you must use the ip qualifier to specify the IPv4 protocol. Keywords include the following types: Qualifiers Fixed keyword strings. When configuring the IP address of the destination, what happens if you simply enter the IP address of your own PC? Yes, all of the encapsulated mirrored traffic is sent to your PC’s IP address. A capture or display filter contains a keyword string or multiple keyword strings that are connected by operators. This is where my new favorite trick comes in. Wireshark - connected to an ERSPAN-capable “destination” switch, but what if you don’t? But There’s an Easier Way. This works great if you have a dedicated system running a packet sniffer - e.g. The traffic is encapsulated in generic routing encapsulation (GRE) and is, therefore, routable across a layer 3 network between the “source” switch and the “destination” switch. ERSPAN mirrors traffic on one or more “source” ports and delivers the mirrored traffic to one or more “destination” ports on another switch. ERSPAN is an acronym that stands for encapsulated remote switched port analyzer. ERSPAN is awesome and in this article, I’ll show you why. In some cases it could replace RSPAN, but since it’s only available on Cisco Nexus switches, newer Catalyst 6500s, Cisco ASR routers, and other “high end” devices, I determined that it really had limited uses.īut I was wrong. Quit without Saving to discard the captured traffic.When I first looked at the documentation for ERSPAN I could imagine some uses for it. Close Wireshark to complete this activity.Click Clear on the Filter toolbar to clear the display filter.Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from (source) IP address 8.8.8.8 is displayed.Type ip.addr = 8.8.8.8 in the Filter box and press Enter.Use ping 8.8.8.8 to ping an Internet host by IP address.Īctivity 2 - Use a Display Filter.YouTube: Wireshark 101: Display Filters and Filter Options, HakTip 122Īctivity 1 - Capture Network Traffic.These activities will show you how to use Wireshark to capture and filter network traffic using a display filter. Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |