[c-nsp] ERSPAN strangeness (C6k Sup720)
Peter Rathlev
peter at rathlev.dk
Wed Oct 19 17:44:10 EDT 2011
On Wed, 2011-10-19 at 16:40 +0100, Phil Mayers wrote:
> Are you aware of "gulp"?
>
> http://staff.washington.edu/corey/gulp/
>
> ...which (amongst other neat features) has a "-d" option to decapsulate
> ERSPAN and output pcap, like so:
>
> gulp -i eth0 -d | tcpdump -n -r -
I wasn't actually, it does look nice. It actually just strips the first
50 bytes from GRE packets, but that fits the purpose here. The buffering
takes some getting used to visually, but I guess that's the point of
gulp. :-)
> I should also mention that wireshark now "knows" about ERSPAN; you can
> just point it at a machine and have wireshark extract the inner packets.
Wireshark and I never became friends for some reason. I've used it on
some occasions where the time-limit feature was useful.
> In my experience, once the SPAN stuff has gone screwy, you need a reload
> or a TAC engineer to poke at ASIC registers.
Yeah, and the time invested in that (via shared support) is probably not
worth it. We of course built all PoPs so any one P/PE can be reloaded
without user impact, with proper preparations of course, so I think
that's what we'll do.
Hopefully it's not a symptom of some other problem with the device...
--
Peter
More information about the cisco-nsp
mailing list