ERSPAN daemon

[leonmccalla]

This feature would allow tcp dump to encapulate all recieved packets for IP/gre transport to a wireshark machine.

[guyharris]

As per this ERSPAN documentation and the ERSPAN I-D, it's basically Yet Another Way To Send Captured Packets Over The Wire. It uses GRE rather than, say, RPCAP over TCP or UDP.

So it sounds as if you want a way to do remote capturing, using ERSPAN, from something other than a Cisco switch. That's not necessarily best done with tcpdump; it could just as easily be done with an ERSPAN daemon. And how is ERSPAN better than any other IP-based transport here?

[leonmccalla]

you're right. Im not concerned about the encapsulation format but remote sniffing is what i need. I want to capture promiscusly from within a VirtualMachine and stream the data out to my windows desktop wireshark and I am unaware of any tools that easily do this.

Right now i have a port on the back of my esxi 5.0 server dedicated to sniffing but this port does not trully get every packet. The internal VMware switch on esxi 5.0 works for intermachine communication to an extent but some functions fail horribly and im trying to get more details.

Right now the only way i know how to sniff remotely involves installing a dedicated windows VM and rpcapd.exe. if you know of a better way please point me to the URL.

Leon

Sent from my android device.

-----Original Message----- From: Guy Harris notifications@github.com To: the-tcpdump-group/tcpdump tcpdump@noreply.github.com Cc: leonmccalla leonmccalla@hotmail.com, Author author@noreply.github.com Sent: Sun, 05 Feb 2017 0:54 Subject: Re: [the-tcpdump-group/tcpdump] ERSPAN (#591)

As per this ERSPAN documentationhttp://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_erspan.html and the ERSPAN I-Dhttps://tools.ietf.org/html/draft-foschiano-erspan-01, it's basically Yet Another Way To Send Captured Packets Over The Wire. It uses GRE rather than, say, RPCAP over TCP or UDP.

So it sounds as if you want a way to do remote capturing, using ERSPAN, from something other than a Cisco switch. That's not necessarily best done with tcpdump; it could just as easily be done with an ERSPAN daemon. And how is ERSPAN better than any other IP-based transport here?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/the-tcpdump-group/tcpdump/issues/591#issuecomment-277499381, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AYYESePS7x9jWlUOzsKkNBTR6G2b-kr2ks5rZWQpgaJpZM4L3ZZV.

[alagoutte]

Hi,

Do you have look extcap "tools" from Wireshark ?

[guyharris]

Do you have look extcap "tools" from Wireshark ?

There isn't an ERSPAN extcap tool - and it sounds as if what he needs is an ERSPAN server to run on the virtual machine on which he wants to capture packets, as well as needing a client.

If he wanted to use RPCAP rather than ERSPAN, then:

• if both hosts are running Windows, then, as he notes, you can use rpcapd on the machine on which he's capturing packets and Wireshark+WinPcap, which has RPCAP support, on another machine;

• if the host on which he's capturing packets isn't running Windows, he could try compiling the latest tip-of-the-master-branch libpcap, with --enable-remote specified, for that machine, and install the resulting rpcapd there;

• if the host on which he's running Wireshark isn't running Windows, he could try compiling the latest tip-of-the-master-branch libpcap, with --enable-remote specified, for that machine, install libpcap, and build Wireshark from source using that version of libpcap, and capture with that.

[alagoutte]

There is some tools like sshdump or udpdump... (using extcap)

can be help !

[gabdu]

@leonmccalla

Did you ever get around solving this issue? My needs are exactly identical to what you described, packet sniffing on VMs (on AWS VPC) and sending the packets to a remote linux machine for offline analysis.

Everyone seems to need rpcapd but unfortunately it appears to be ill-maintained!

[leonmccalla]

No but it sounds like sshdump is needed in one of the VMs to do the sniffing for us. I work on routers and switches all day. Linux is foreign to me and Virtualization os even further away. I would not know what to do.

Leon

Sent from my android device.

-----Original Message----- From: gabdu notifications@github.com To: the-tcpdump-group/tcpdump tcpdump@noreply.github.com Cc: leonmccalla leonmccalla@hotmail.com, Mention mention@noreply.github.com Sent: Fri, 22 Sep 2017 2:53 Subject: Re: [the-tcpdump-group/tcpdump] ERSPAN daemon (#591)

@leonmccallahttps://github.com/leonmccalla

Did you ever get around solving this issue? My needs are exactly identical to what you described, packet sniffing on VMs (on AWS VPC) and sending the packets to a remote linux machine for offline analysis.

Everyone seems to need rpcapd but unfortunately it appears to be ill-maintained!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/the-tcpdump-group/tcpdump/issues/591#issuecomment-331365822, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AYYESbBxBSI6j9_DUyC-vCuk6c5FHzYMks5sk1lNgaJpZM4L3ZZV.

[infrastation]

From the discussion I gather that the problem can be solved using existing non-ERSPAN means, especially with the development done in rpcapd in recent years. Even if that is not the case, bringing ERSPAN into the scope of this project would be a mistake. If anybody wishes to note anything that still needs to be done before considering this issue resolved, please do that within 7 days.

[infrastation]

It is time.