Re: ERSPAN

[Mike Hale <eyeronic.design () gmail com>]

There's your problem.  Cisco uses an additional datacenter Ethernet tag (I
think that's the correct term) that is also present in span traffic.  I
haven't found a way to get those packets properly decoded yet,
unfortunately.

The only work around is to span physical interfaces that don't carry vpc
traffic.  Spaning vlans doesn't work properly.
On Apr 1, 2014 12:15 PM, "Fernando Cardoso" <fcardoso () ymail com> wrote:

> Hey Mike,
>
> Yes, our switches are configured with VPC.
>
>
> 2014-04-01 11:54 GMT-03:00 Mike Hale <eyeronic.design () gmail com>:
>
> > Are your Nexus switches configured with vpc?
> > On Apr 1, 2014 7:51 AM, "Fernando Cardoso" <fcardoso () ymail com> wrote:
> >
> > > Thanks Carter,
> > >
> > > So I need to solve the Malformed packets first, have any Idea about this
> > > issue? My span configuration its seem ok and my OS too, I'll looking for
> > > any misconfiguration between switch and OS (virtual machine.).
> > >
> > >
> > > Fernando C>
> > >
> > >
> > > 2014-04-01 10:13 GMT-03:00 Carter Waxman (cwaxman) <cwaxman () cisco com>:
> > >
> > > >  Hello,
> > > >
> > > >  It appears most of the packets in "notdecoded.pcap" are malformed (in
> > > > particular, the IP->GRE->IP data), and the output you are seeing is from
> > > > GRE-encapsulated non-IP data (at least this is how Wireshark and Snort
> > > > interpret it). The packets that are malformed are simply being dropped by
> > > > Snort.
> > > >
> > > >  I can't speak for your network, but somehow the length fields in the
> > > > outer IP headers are smaller than they should be(ex. 87 --the length without
> > > > the GRE and inner ethernet headers -- instead of 115 for the first packet),
> > > > which is why these packets are being rejected.
> > > >
> > > >  -Carter
> > > >
> > > >   From: "Russ Combs (rucombs)" <rucombs () cisco com>
> > > > Date: Monday, March 31, 2014 11:40 AM
> > > > To: Fernando Cardoso <fcardoso () ymail com>, "
> > > > snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
> > > > Subject: Re: [Snort-users] ERSPAN
> > > >
> > > >   Can you send a pcap?
> > > >  ------------------------------
> > > > *From:* Fernando Cardoso [fcardoso () ymail com]
> > > > *Sent:* Friday, March 28, 2014 11:00 AM
> > > > *To:* snort-users () lists sourceforge net
> > > > *Subject:* [Snort-users] ERSPAN
> > > >
> > > >   Hello,
> > > >
> > > >  I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to
> > > > sniff ERSPAN traffic.
> > > > Snort output show me entire packet of many different vlans but the
> > > > source address and destination is the same configured on my switch session.
> > > > Sniffing example running snort:
> > > > snort -X -i eth1
> > > >
> > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > > >
> > > >  03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
> > > > GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
> > > > 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00
> > > >  .PV...T....|..E.
> > > > 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T..@
> > > > ../e......d
> > > > 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01
> > > >  6.....2N.D.k....
> > > > 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03
> > > >  ................
> > > > 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00  @
> > > > ...421.PV.r...
> > > > 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g.@
> > > > .@..j
> > > > 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9
> > > >  ...........n.Q[.
> > > > 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00
> > > >  n..>P....]......
> > > >                               ..
> > > >  Where 10.199.11.1 is my source and 10.200.10.10 is my destination in
> > > > my session configuration
> > > >
> > > >  When I use tools like tshark and gulp I can see the right source and
> > > > dest not only source and dest from GRE.
> > > >
> > > >  My switch is a nexus 5k and my config is something like this:
> > > >  session 1
> > > > ---------------
> > > > type              : erspan-source
> > > > state             : up
> > > > erspan-id         : 1
> > > > vrf-name          : default
> > > > destination-ip    : 10.200.10.10
> > > > ip-ttl            : 255
> > > > ip-dscp           : 0
> > > > origin-ip         : 10.199.11.1 (global)
> > > > source intf       :
> > > >     rx            :
> > > >     tx            :
> > > >     both          :
> > > > source VLANs      :
> > > >     rx            : 10,50,100-150
> > > >
> > > >
> > > >  My question is, can snort show the ip adress dest and source from
> > > > decapsulated erspan like tshark and gulp?
> > >
> > >
> > > ------------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!