- Bronze, 100 points or more
Work has begun on the dissection of the new 'header-type 3' ERSPAN Type-III header. The current release version of Wireshark does not decode this format at all. We currently have the copy of Wireshark in SVN decoding the new header and identifying the timestamp field which should prove very handy.
In adapting the existing ERSPAN dissector to recognize the new header, I noticed that not only are there several new fields in the new header that I cannot identify, but there are also several fields that were never identified in the old header. Does anyone know if this is documented anywhere? It would be very useful to get these headers defined in Wireshark. It also would be useful to understand the differences in headers produced by different equipment. For example, the headers produced by a Nexus 1000v switch configured with 'header-type 2' seems to differ from that produced by a 6500. (There is a bit that indicates the direction of traffic which seems to move to a different location on the 1000v.)
If anyone could help to identify some of the other unknown fields in these headers or if Cisco would be willing to provide some documentation, it would be greatly appreciated.
I make frequent use of ERSPAN for quick troubleshooting because I can send a capture from any point in the network to my workstation and set a 'ip proto 0x2f' capture filter to isolate the capture from my workstation's traffic. The timestamp in the new header is exciting because it gives a point of reference between packets which greatly increases the reliability of capturing this way. Specifically when a packet is observed to be out of order or delayed there was no way of telling if this was observed in the actual capture or if the delay or change in order occurred after the ERSPAN encapsulation. If you would like to experiment with decoding the new Type-III headers, you can check out revision 34221 or newer of Wireshark from SVN and check it out.