[c-nsp] ERSPAN strangeness (C6k Sup720)
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 19 11:40:05 EDT 2011
On 19/10/11 15:38, Peter Rathlev wrote:
> We use ERSPAN a lot, sourcing from out PEs (6500 Sup720) and sending it
> to a CentOS 5 server with a 10G NIC. We're using a derivative of Phil
> Mayers' Python scripts[0] which can be found here[1]. I don't think the
> session destination is relevant though, just plugging our version. :-)
Hehe.
Are you aware of "gulp"?
http://staff.washington.edu/corey/gulp/
...which (amongst other neat features) has a "-d" option to decapsulate
ERSPAN and output pcap, like so:
gulp -i eth0 -d | tcpdump -n -r -
I should also mention that wireshark now "knows" about ERSPAN; you can
just point it at a machine and have wireshark extract the inner packets.
>
> Anybody seen anything like this before? Are there any "secret" show
> commands to tell me something about SPAN sessions?
I've seen all kinds of ERSPAN weirdness. There was a tedious bug a while
back where the "monitor .. capture" introduced in SXI would break ERSPAN
in funny ways - after using a capture session, the first ERSPAN session
would be fine but the 2nd and subsequent would all work for about a
second then malfunction. The manner of the malfunction was to send the
ERSPAN packets towards 0.0.0.0/0 regardless of the actual destination IP
and state of routing table.
In my experience, once the SPAN stuff has gone screwy, you need a reload
or a TAC engineer to poke at ASIC registers.
Not very helpful I'm afraid...
More information about the cisco-nsp
mailing list