Patch for stripping ERSPAN type II

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Wed Jun 1 12:46:39 EDT 2016 

Hey Ming,
I know that this is an old topic ….

Finalizing the argus-3.0.8.2 release and wanted to test your patch for ERSPAN type II packets.
You don’t have a packet capture with any of these packet types in it, do you ???
Hope all is most excellent,

Carter

> On Nov 12, 2015, at 4:12 PM, Carter Bullard via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Well that is a lot easier !!  I'll look at this when I get back in the office !!!
> Carter
> 
> On Nov 12, 2015, at 10:15 AM, MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>> wrote:
> 
>> Hi Carter,
>> 
>> The ERSPAN is similar to the tranaparent bridge encapsulation for VMWare. The encapsulation is like encap-ether:encap-ip:GRE:erspan:original-ether:original-ip:...
>> I just need to strip the outer headers. i didn't add an DLT type.
>> 
>> Regards,
>> Ming
>> 
>> 
>> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
>> To: MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>> 
>> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> 
>> Sent: Thursday, November 12, 2015 12:39 PM
>> Subject: Re: [ARGUS] Patch for stripping ERSPAN type II
>> 
>> Hey Ming,
>> Thanks !!  I haven't had a chance to look at the patch, but did you add a parser for a new  DLT_TYPE, or did you use another strategy.  Are there other DLT_TYPES that you need ???
>> 
>> Hope all is most excellent,
>> Carter
>> 
>> 
>> 
>> On Nov 10, 2015, at 1:58 PM, MING FU via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>> 
>>> Hi Carter,
>>> 
>>> I have a patch to strip off Cisco ERSPAN type II header and reveal its encapsulated Ethernet payload. This currently only strip the header off. It does not make use of the VLAN ID in the header yet.
>>> 
>>> If someone has sample traffic for ERSPAN type III or ERSPAN type II with the VLAN ID set. I would appreciate if you can with me share some pcap capture.
>>> 
>>> Best Regards,
>>> Ming
>>> <patchfile>
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160601/d804614f/attachment.html>

More information about the argus mailing list