Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireshark ProCurve ERSPAN Support

From: Bill Meier <wmeier () newsguy com>
Date: Wed, 13 Jan 2010 11:37:43 -0500
Tim Durack wrote:

Before investing too much time and energy in customizing wireshark
(something that might be beyond me anyway), I thought it wise to post
my situation:

I have a number of HP ProCurve (5400zl) switches with remote packet
capture capabilities. It works much like Cisco ERSPAN, but is
different of course.
I would love to be able to decode these captures directly in
Wireshark, but that functionality is not currently available.

The remote capture is encapsulated in a standard UDP packet, in an
undocumented format. Google-fu has failed to lead me towards anybody
else investigating this. I can hack bash and perl scripts, but that is
the limit of my coding these days. Any suggestions on how to start
getting this supported in Wireshark?

Thanks for your time,


Let me see if I understand your request:

1. By "remote packet capture"  I expect you mean the use of the "remote 
traffic mirroring" capability as described in the ProCurve "Management 
and Configuration Guide". Is this correct ?

2. It sounds like you want to capture/decode the ProCurve remote traffic 
mirroring frames being sent on the network as opposed to using Wireshark 
to capture the mirrored traffic on the "exit port" of a "remote switch".

A question: (I'm kinda new to this stuff). What is gained by capturing 
the encapsulated traffic as opposed to just capturing the traffic on the
"exit port" ?

In any case, a starting point would be to post a small capture 
containing the encapsulated remote capture packets.

I suggest opening a enhancement request on bugs.wireshark.org and 
attaching the capture file to to the request.


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: