-T erspan lets you force parsing a GRE packet as ERSPAN
Devices supportin ERSPAN type I allow arbitrary GRE protocol numbers to
be specified for encapsulating the spanned Ethernet packets. This lets
tcpdump cope with that by letting the user force erspan packet
processing.
This follows the mechanism used for IP and UDP packet processing. It
might be nice to extend the -T argument processing so you can do
something like tcpdump -T erspan=111 or -T erspan=0x88be so only
specific protocols are forced to erspan instead of all of them.
Anyway, if you're using a recentish Dell (or late Force 10 switch) with
ftos^Wdnos 9, it basically supports ERSPAN Type I without actually
saying that. The "monitor session X type erpm" encapsulates Ethernet
packets in GRE and sends them to a remote IP, and defaults to the same
GRE protocol identifier that ERSPAN uses. It also supports changing the
GRE protocol id, as per the ERSPAN draft specs:
If I configure this:
monitor session 10 type erpm
source twentyFiveGigE 1/1 direction both
erpm source-ip 10.138.79.17 dest-ip 10.138.79.2
no disable
Then tcpdump on 10.138.79.2 shows this:
xdlg@bastion:~/src/usr.sbin/tcpdump$ sudo ./obj/tcpdump -vei vmx2 -B capture ip
proto gre
tcpdump: listening on vmx2, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
13:55:56.812909 54:bf:64:d9:07:42 00:50:56:a1:c1:4a ip 180:
eait-42-dc2-c5-2.mgmt.eait.uq.edu.au > bastion.eait.uq.edu.au: gre [] 88be
erspan I: 00:24:51:5d:84:00 01:00:5e:00:00:05 ip 142: 172.16.163.249 >
ospf-all.mcast.net: OSPFv2-hello 56[92]: rtrid secret area 0.0.2.188 auth MD5
key-id 1 seq 1558233217 [|ospf] [tos 0xc0] [ttl 1] (id 63484, len 128) (ttl
255, id 0, len 166)
If I reconfigure the monitor session with the following erpm line:
erpm source-ip 10.138.79.17 dest-ip 10.138.79.2 gre-protocol 111
I see this:
xdlg@bastion:~/src/usr.sbin/tcpdump$ sudo ./obj/tcpdump -nvei vmx2 -B capture
ip proto gre
tcpdump: listening on vmx2, link-type EN10MB
14:00:30.584863 54:bf:64:d9:07:42 00:50:56:a1:c1:4a 0800 168: 10.138.79.17 >
10.138.79.2: gre [] 006f unknown-proto-006f (ttl 255, id 0, len 154)
14:00:30.585046 54:bf:64:d9:07:42 00:50:56:a1:c1:4a 0800 104: 10.138.79.17 >
10.138.79.2: gre [] 006f unknown-proto-006f (ttl 255, id 0, len 90)
now with -T erspan:
xdlg@bastion:~/src/usr.sbin/tcpdump$ sudo ./obj/tcpdump -vei vmx2 -B
capture -T erspan ip proto gre
tcpdump: listening on vmx2, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
13:55:56.812909 54:bf:64:d9:07:42 00:50:56:a1:c1:4a ip 180:
eait-42-dc2-c5-2.mgmt.eait.uq.edu.au > bastion.eait.uq.edu.au: gre [] 006f
erspan I: 00:24:51:5d:84:00 01:00:5e:00:00:05 ip 142: 172.16.163.249 >
ospf-all.mcast.net: OSPFv2-hello 56[92]: rtrid secret area 0.0.2.188 auth MD5
key-id 1 seq 1558233217 [|ospf] [tos 0xc0] [ttl 1] (id 63484, len 128) (ttl
255, id 0, len 166)
ok?
Index: interface.h
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
retrieving revision 1.80
diff -u -p -r1.80 interface.h
--- interface.h 5 Apr 2019 00:57:59 -0000 1.80
+++ interface.h 21 May 2019 03:46:35 -0000
@@ -64,6 +64,7 @@ extern char *device; /* as specified by
#define PT_MPLS 10 /* MPLS (over UDP) */
#define PT_TFTP 11 /* Trivial File Transfer Protocol */
#define PT_VXLAN 12 /* Virtual eXtensible Local Area Network */
+#define PT_ERSPAN 13 /* GRE ERSPAN Type I or II */
#ifndef min
#define min(a,b) ((a)>(b)?(b):(a))
Index: print-gre.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v
retrieving revision 1.26
diff -u -p -r1.26 print-gre.c
--- print-gre.c 17 May 2019 06:47:10 -0000 1.26
+++ print-gre.c 21 May 2019 03:46:35 -0000
@@ -223,6 +223,14 @@ gre_print_0(const u_char *p, u_int lengt
printf(" ");
+ switch (packettype) {
+ case PT_ERSPAN:
+ gre_print_erspan(flags, p, length);
+ return;
+ default:
+ break;
+ }
+
switch (proto) {
case 0:
printf("keep-alive");
Index: tcpdump.8
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
retrieving revision 1.101
diff -u -p -r1.101 tcpdump.8
--- tcpdump.8 18 Mar 2019 06:41:52 -0000 1.101
+++ tcpdump.8 21 May 2019 03:46:35 -0000
@@ -230,9 +230,11 @@ to be interpreted as the specified
.Ar type .
Currently known types are:
.Pp
-.Bl -tag -width "vxlan" -offset indent -compact
+.Bl -tag -width "erspan" -offset indent -compact
.It Cm cnfp
Cisco NetFlow protocol
+.It Cm erspan
+Cisco Encapsulated Remote Switch Port Analyzer (ERSPAN) over GRE
.It Cm gre
Generic Routing Encapsulation over UDP
.It Cm mpls
Index: tcpdump.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.c,v
retrieving revision 1.89
diff -u -p -r1.89 tcpdump.c
--- tcpdump.c 18 Mar 2019 00:09:22 -0000 1.89
+++ tcpdump.c 21 May 2019 03:46:35 -0000
@@ -365,6 +365,8 @@ main(int argc, char **argv)
packettype = PT_GRE;
else if (strcasecmp(optarg, "vxlan") == 0)
packettype = PT_VXLAN;
+ else if (strcasecmp(optarg, "erspan") == 0)
+ packettype = PT_ERSPAN;
else if (strcasecmp(optarg, "mpls") == 0)
packettype = PT_MPLS;
else if (strcasecmp(optarg, "tftp") == 0)
