[Zeek] ERSPAN / GRE - weird log
Stuart H
stu.h at live.com
Tue Nov 5 10:44:08 PST 2019
I added support for ERSPAN type II and III and have it working fine using VMware ERSPAN.
You’re definitely using Zeek 3.0+ right?
From: <zeek-bounces at zeek.org> on behalf of "Ralph R. Rye" <ralph.rye at gmail.com>
Date: Monday, 4 November 2019 at 15:08
To: "zeek at zeek.org" <zeek at zeek.org>
Subject: [Zeek] ERSPAN / GRE - weird log
Hoping to see if someone has gotten Zeek to work with ERSPAN span sessions.
I am doing ERSPAN from a Cisco Nexus switch to a VMware host. I can see the traffic at the host and do tcpdump captures without any problems.
When attempting to use Zeek (3.0 or 2.6.3) all I get is entries in the weird log for the ERSPAN traffic.
I noticed someone previously posting about it may be a GRE type issue, and that it appears someone modified a source file to get things to work.
Here is the frame/packet header info from the ERSPAN traffic from the Nexus 9k.
As you can see it is type 0x88be
[cid:image001.png at 01D59409.015DD200]
I have used Zeek quite a bit in the past with regular SPAN sessions and TAPs, but having the capability to use ERSPAN would be a great benefit of being able to pull in traffic from many sections of the network without having to worry about the physical device requirements of regular SPAN and TAPS.
I utilize ERSPAN quite a bit with tshark/wireshark for being able to capture just the traffic I care about in a datacenter.
-Ralph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191105/e329f233/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 45591 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191105/e329f233/attachment-0001.bin
More information about the Zeek
mailing list