Patch for stripping ERSPAN type II
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Nov 12 16:12:27 EST 2015
Well that is a lot easier !! I'll look at this when I get back in the office !!!
> On Nov 12, 2015, at 10:15 AM, MING FU <fuming188 at yahoo.ca> wrote:
> Hi Carter,
> The ERSPAN is similar to the tranaparent bridge encapsulation for VMWare. The encapsulation is like encap-ether:encap-ip:GRE:erspan:original-ether:original-ip:...
> I just need to strip the outer headers. i didn't add an DLT type.
> From: Carter Bullard <carter at qosient.com>
> To: MING FU <fuming188 at yahoo.ca>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Sent: Thursday, November 12, 2015 12:39 PM
> Subject: Re: [ARGUS] Patch for stripping ERSPAN type II
> Hey Ming,
> Thanks !! I haven't had a chance to look at the patch, but did you add a parser for a new DLT_TYPE, or did you use another strategy. Are there other DLT_TYPES that you need ???
> Hope all is most excellent,
>> On Nov 10, 2015, at 1:58 PM, MING FU via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>> Hi Carter,
>> I have a patch to strip off Cisco ERSPAN type II header and reveal its encapsulated Ethernet payload. This currently only strip the header off. It does not make use of the VLAN ID in the header yet.
>> If someone has sample traffic for ERSPAN type III or ERSPAN type II with the VLAN ID set. I would appreciate if you can with me share some pcap capture.
>> Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the argus