HI @udo.konstantin ,
@Robert Burns & @Sergiu.Daniluk have nailed it - the Source IP helps identify WHICH Leaf/Spine sent which packets, which is especially useful if you have an ERSPAN set up span traffic from more than one Leaf.
In the sample capture I've attached (sorry - you'll have to unzip it first because this stupid site won't allow uploads of .pcappng) you can see that the first packet has an outer source IP of 1.18.8.154 - this is because I specified the source IP range as 1.18.0.0/16 - which explains the 1.18 part. The 8.154 is bit trickier - it identifies that the packet was sourced from Node 2202.
2202 you ask? Let me leave you with this
(8 x 256) + 154 = 2202
I'll assume you know enough about IP addressing to join the dots!
Now - there are a few things you need to do with in Wireshark Analyse settings (Wireshark Analyse > Decode as) capture to get it looking like mine:
- UDP Port 48879 decode as VXLAN
- Ethertype 0x8988 decode as Cisco ttag
And finally, don't forget that the EASIEST way to do a packet capture in ACI is via the Operations > Visibility & Troubleshooting page - where you can send the packets to the APIC and simply download then later (which is how the above was captured)
Oh - and if your output doesn't look like mine - i.e. the ARP gleaning packets are not identified - it's time to upgrade your Wireshark.
Also check out: https://community.cisco.com/t5/application-centric/aci-span-configuration-detailed-explanation-needed/m-p/4562875/highlight/true#M11920
