Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
0
Replies

ACI Tenant SPAN decoding

Nik Noltenius
Spotlight
Spotlight

‎02-05-2019 06:33 AM - edited ‎03-01-2019 05:46 AM

Hello everyone,

we have an issue with decoding Tenant SPAN in wireshark. The scenario is a ping from outside the fabric to a VM connected via a VMMdomain. 

The ICMP request is decoded fine:

request.jpg

 

But the reply is messed up. As I marked there are 8 bytes added after the Source-MAC of the Ethernet-Header. After those extra bytes we have the correct Ethertype for IPv4 (0x0800) and everything seems fine.

 

reply.jpg

 

So here is the question: Where do those extra bytes come from? Why are they only in one direction? Is the SPAN session setup not correct? Do we need to change decoding sessions in Wireshark?

Any input is much appreciated.

 

Thanks you

Nik

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License