Tcpdump filter for ERSPAN session ID value

tcpdump

I am using rcdcap to decapsulate ERSPAN on a Linux host. I would like to be able to split ERSPAN session IDs out to different logical capture interfaces. My current ERSPAN session IDs are 10 and 20. Can someone help me out with a tcpdump filter that would allow me to filter by either of those IDs? Understand this is something in the form of 'ip[xx:y] = hexvalue', but couldn't figure it out on my own.

Best Answer

I've recently was looking for the same info, and now I'm applying this filter to capture exact session ID:

tshark -i enp2s0f1 -b filesize:200000 -b files:5 -w f5_span.pcap -f 'ether[45] & 0x0f = 2'

This will get session ID 2. Also want to notice, that it's for ERSPAN type II packets. You can use Wireshark to determine byte number responsible for ERSPAN ID.

Remark:

Filter ether[45] & 0x0f will give you opportunity to match session ID's from 0 to 15. If you want to use ID's above 15 (max for ERSPAN Session ID is 1023), then you will need to modify it to look like this:

ether[44] & 0x03 = 3 && ether[45] & 0xff = 255 (in this example we're matching ID 1023)

In your case, for session ID 10:

ether[45] & 0xff = 10

for session ID 20:

ether[45] & 0xff = 20

Related Solutions

TCPDump – How to Filter by MAC Address

You have used the following as your packet filter: host aa:bb:cc:11:22:33

As it stands, this is looking for an IP or hostname but you are giving it a MAC address.

To use a MAC address, you need to include the ether packet filter primitive.

In your case, the following should work:

sudo tcpdump ether host aa:bb:cc:11:22:33

Or, if it needs you to specify the interface, then it would be something like:

sudo tcpdump -i eth0 ether host aa:bb:cc:11:22:33

TCPDUMP Output analysis

Basic information about how to interpret tcpdump output can be found in the tcpdump man page. Just do man tcpdump on your machine and read (and make some notes, there's a lot of stuff there). Next, you may find google and query tcpdump tutorial helpful, as again - a lot of information shown by tcpdump will be protocol-specific. Couple of good, introductory tutorials:

You may also find Wireshark, an GUI tool built on tcpdump fundamentals a good resource to use in daily work and as a base reference for protocol decoding.

Answering your specific question: why you're trying to monitor multicast on this specific node? If you want to monitor multicast in core of the network, you should SPAN/RSPAN your traffic to this host and then sniff it using favorite tool - be it tcpdump. If that's a switched network you're connected to, you'll see few if any multicast packets - your station doesn't have (by default) means to become active destination of all multicast traffic unless it registers to be it (and that requires additional work, besides running sniffer alone).

Best Answer

Related Solutions

TCPDump – How to Filter by MAC Address

TCPDUMP Output analysis

Related Topic