[Zeek] ERSPAN / GRE - weird log
Ralph R. Rye
ralph.rye at gmail.com
Mon Nov 4 07:04:03 PST 2019
Hoping to see if someone has gotten Zeek to work with ERSPAN span sessions.
I am doing ERSPAN from a Cisco Nexus switch to a VMware host. I can see
the traffic at the host and do tcpdump captures without any problems.
When attempting to use Zeek (3.0 or 2.6.3) all I get is entries in the
weird log for the ERSPAN traffic.
I noticed someone previously posting about it may be a GRE type issue, and
that it appears someone modified a source file to get things to work.
Here is the frame/packet header info from the ERSPAN traffic from the Nexus
9k.
As you can see it is type 0x88be
[image: image.png]
I have used Zeek quite a bit in the past with regular SPAN sessions and
TAPs, but having the capability to use ERSPAN would be a great benefit of
being able to pull in traffic from many sections of the network without
having to worry about the physical device requirements of regular SPAN and
TAPS.
I utilize ERSPAN quite a bit with tshark/wireshark for being able to
capture just the traffic I care about in a datacenter.
-Ralph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191104/e08c90b7/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 45590 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191104/e08c90b7/attachment-0001.bin
More information about the Zeek
mailing list