No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Mirrored packets which are captured via L3 remote port mirroring (ERSPAN) are not displayed(decoded) in the WireShark sniffer, because S9300 has chip limitation.

Publication Date:  2012-07-27 Views:  38 Downloads:  0
Issue Description

                                                                                                  pic 1
Customer wants to use L3 remote port mirroring (ERSPAN) for remote troubleshooting, but dump files cannot be decoded by sniffer (Wire Shark v 1.6.1). For example see pic 2



Alarm Information
None
Handling Process
We can solve this problem only by using additional software tools which can delete all GRE information from the ERSPAN dump.
(see attachment for using tools)
Root Cause
1. After mirroring source frame is modified according to following rules:
Add Ethernet header: Source MAC+ Destination MAC + VLAN tag == 6+6+2+4 = 18 bytes
Add IP header: 20 bytes
GRE header 4 bytes
Therefore, total packet header is 18+20+4 = 42 bytes (see following example pic 3)

                                                                                            pic 3
2. S9300 can support only 38 bytes header for correct mirroring. Correct mirroring means that device must insert special sequence after GRE protocol identifier 88be: 000000ab1156c29a00007ff8
For example in ERSPAN dump from Cisco device we can found such sequence:

                                                                                             pic 4
3. But in S9300’s dump we can’t find this sequence (see pic. 5):

                                                                                           pic 5
Because S9300 doesn’t insert 000000ab1156c29a00007ff8 that is why WireShark sniffer can’t decode correct dump file.      


Suggestions
In case of using S9300 please use special mirror tools(see attachment) before analyzing by WireShark sniffer.

END