Snort mailing list archives
Re: ERSPAN
From: Mike Hale <eyeronic.design () gmail com>
Date: Tue, 1 Apr 2014 13:25:53 -0700
There's your problem. Cisco uses an additional datacenter Ethernet tag (I think that's the correct term) that is also present in span traffic. I haven't found a way to get those packets properly decoded yet, unfortunately. The only work around is to span physical interfaces that don't carry vpc traffic. Spaning vlans doesn't work properly. On Apr 1, 2014 12:15 PM, "Fernando Cardoso" <fcardoso () ymail com> wrote:
Hey Mike, Yes, our switches are configured with VPC. 2014-04-01 11:54 GMT-03:00 Mike Hale <eyeronic.design () gmail com>:Are your Nexus switches configured with vpc? On Apr 1, 2014 7:51 AM, "Fernando Cardoso" <fcardoso () ymail com> wrote:Thanks Carter, So I need to solve the Malformed packets first, have any Idea about this issue? My span configuration its seem ok and my OS too, I'll looking for any misconfiguration between switch and OS (virtual machine.). Fernando C> 2014-04-01 10:13 GMT-03:00 Carter Waxman (cwaxman) <cwaxman () cisco com>:Hello, It appears most of the packets in "notdecoded.pcap" are malformed (in particular, the IP->GRE->IP data), and the output you are seeing is from GRE-encapsulated non-IP data (at least this is how Wireshark and Snort interpret it). The packets that are malformed are simply being dropped by Snort. I can't speak for your network, but somehow the length fields in the outer IP headers are smaller than they should be(ex. 87 --the length without the GRE and inner ethernet headers -- instead of 115 for the first packet), which is why these packets are being rejected. -Carter From: "Russ Combs (rucombs)" <rucombs () cisco com> Date: Monday, March 31, 2014 11:40 AM To: Fernando Cardoso <fcardoso () ymail com>, " snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] ERSPAN Can you send a pcap? ------------------------------ *From:* Fernando Cardoso [fcardoso () ymail com] *Sent:* Friday, March 28, 2014 11:00 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] ERSPAN Hello, I'm using Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to sniff ERSPAN traffic. Snort output show me entire packet of many different vlans but the source address and destination is the same configured on my switch session. Sniffing example running snort: snort -X -i eth1 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10 GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00 .PV...T....|..E. 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64 .T..@ ../e......d 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01 6.....2N.D.k.... 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03 ................ 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00 @ ...421.PV.r... 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A .k..E..(g.@ .@..j 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9 ...........n.Q[. 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00 n..>P....]...... .. Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my session configuration When I use tools like tshark and gulp I can see the right source and dest not only source and dest from GRE. My switch is a nexus 5k and my config is something like this: session 1 --------------- type : erspan-source state : up erspan-id : 1 vrf-name : default destination-ip : 10.200.10.10 ip-ttl : 255 ip-dscp : 0 origin-ip : 10.199.11.1 (global) source intf : rx : tx : both : source VLANs : rx : 10,50,100-150 My question is, can snort show the ip adress dest and source from decapsulated erspan like tshark and gulp?------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: ERSPAN Carter Waxman (cwaxman) (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 02)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)