Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9045
Views
0
Helpful
7
Replies

ERSPAN - no packets captured by sniffer

techmail4sam
Level 1
Level 1

‎08-25-2009 04:23 AM

Hi,

I want to inspect packets on virtual ethernet of VM.

port_group is Port group on cisco 1000v switch.

Veth2 is virtual ethernet on virtual machine "esx - w2k3 ent sp2"

Module 3 is a ESX where my VM is running.

port-profile usage is as follows.

port_group        Veth2                      esx - w2k3 ent sp2                          
                         Veth5       vmk0       Module 3

"show monitor session 1" gives following result.
   session 1
---------------
description       : veth1_monitor
type              : erspan-source
state             : up
source intf       :
    rx            : Veth2
    tx            : Veth2
    both         : Veth2
source VLANs      :
    rx            :
    tx            :
    both         :
filter VLANs      : filter not specified
destination IP    : 192.168.4.221 (sniffer runs of this IP)
ERSPAN ID         : 999
ERSPAN TTL        : 64
ERSPAN IP Prec.   : 0
ERSPAN DSCP       : 0
ERSPAN MTU        : 1000

But no packets are captured on sniffer.

Thanks,

D V

Labels:
0 Helpful
7 Replies 7

vjbackman
Level 1
Level 1

‎08-25-2009 06:15 AM

Did you setup an erspan port-profile with l3control for the VLAN you want to capture from?  Once this is setup you also need to have a vmkernel port with a valid IP address assigned to the port group.  Then you can setup the monitoring session.

0 Helpful

techmail4sam
Level 1
Level 1
In response to vjbackman

‎08-25-2009 11:11 PM

Thanks,

I checked things you suggested and finally sniffer captured GRE protocol packets.

I want to inspect payload packet in that. Can you suggest how can I analyze this GRE packets to analyze network traffic?

Is there any GRE protocol analyzer available from cisco?

Thanks,

D V

0 Helpful

dersoz
Cisco Employee
Cisco Employee
In response to techmail4sam

‎08-27-2009 10:09 AM

Hi,

You can try the wireshark application from http://www.wireshark.org/. Their latest version is capable of decoding ERSPAN/GRE packets.

Thanks,

Deniz

0 Helpful

jiangcaixia
Level 1
Level 1

‎05-11-2010 04:11 AM

Hi DV,

I have the same problem with you before. I want to know the destination ip  192.168.4.221is a really physical interface or a virtual interface on esx.

I have configured l3control on the port profile and had a vmknic ip to that port profile. But I still can't get any packets.

Can you help me?

Thanks,

Caixia

0 Helpful

gbankiho
Level 1
Level 1
In response to jiangcaixia

‎11-22-2010 02:32 AM

Hi,

could anyone post some more detailed steps how to do this?

I have following scenario:

1. There are two physical switches (n5k) connected via port channels to each other.

2. The physical switches are also connected to n1000v switches shared among 5 ESX servers (cluster).

3. The physical device I want to capture from is connected to one of the n5k switches, via trunk port. It has 5 subinterfaces (vlans) with Ip- adresses.

4. The traffic on all sub-interfaces schould be sniffered by a virtual machine (win+wireshark) located on the esx cluster, behind the n1000v switch.

Say, I have the VLANs 101-105.

What should be configured on the physical switches?

What should be configured on the n1000v switches?

What should be done on the vcenter? (especcially the trick with vmkernel interface: how to map a vmkernel interface to virtual machine??)

Sorry for the long post, but I need a solution and didn't find anything yet...

Thanx,

gyorgy.banki-horvath

0 Helpful

Robert Burns
Cisco Employee
Cisco Employee
In response to gbankiho

‎11-22-2010 02:38 PM

Gyorgy,

If my understanding is correct:

- The "device" you want to sniff is not a VM, but rather a phsycial box.

- The sniffer capture (wireshark) is a Virtual Machine running on one of your ESX hosts.

Are you trying to sniff all traffic in a VLAN or just all traffic with the destination of your SVI (Switch Virtual Interface)?

What should be configured on the physical switches?

- Since your ESX hosts are connected to each N5K, you'll need to do  an ERSPAN on the N5K.  We don't know which N5K the VM's traffic will be  pinned to so we'll need to do a Layer 3 SPAN (aka ERSPAN).

What should be configured on the n1000v switches?

- Nothing needs to be "configured" on the N1K.  Your sniffer VM just  needs an address that is routeable that can be reached by your N5Ks.

What  should be done on the vcenter? (especcially the trick with vmkernel  interface: how to map a vmkernel interface to virtual machine??)

- Nothing.  As the sniffer VM is just the "destination" there's nothing else needed to be configured.  You only need the VMKernel interface if you're doing an ERSPAN "from" a VM or Host. 

I'd like to get a clear understanding of exactly "what" traffic you're trying to capture.  Then I can recommend the best way to attack this.


Regards,

Robert

0 Helpful

gbankiho
Level 1
Level 1
In response to Robert Burns

‎11-23-2010 12:32 AM

Hello Robert,

thank you for the rapid answer. Since yesterday afternood my colleague had solved it, we now can capture traffic from the physical device in all vlans. We put a vmkernel interface with a valid ip adress in a specific vlan. In the same vlan we created a port-profile, and the virtual machine has a network adapter in this port-profile. The virtual machine has an ip adress in the same subnet as the vmkernel interface. We configured a monitor session erspan-source with a destination ip of the vm.

This is a quiet different from your solution but works! :-) I suspect there are more ways to do this...

Regards,

Gyorgy

0 Helpful
Customers Also Viewed These Support Documents