[Snort-users] ERSPAN

Fernando Cardoso fcardoso at ...14432...
Wed Apr 2 10:28:49 EDT 2014


You're right man.

Look:
http://cciedatacentre.blogspot.com.br/2013/01/faq-port-mirroring-span-on-nexus-2000.html?showComment=1396442241302#c2961264369530329984


Many thanks to all



2014-04-01 17:25 GMT-03:00 Mike Hale <eyeronic.design at ...11827...>:

> There's your problem.  Cisco uses an additional datacenter Ethernet tag (I
> think that's the correct term) that is also present in span traffic.  I
> haven't found a way to get those packets properly decoded yet,
> unfortunately.
>
> The only work around is to span physical interfaces that don't carry vpc
> traffic.  Spaning vlans doesn't work properly.
> On Apr 1, 2014 12:15 PM, "Fernando Cardoso" <fcardoso at ...14432...> wrote:
>
>> Hey Mike,
>>
>> Yes, our switches are configured with VPC.
>>
>>
>> 2014-04-01 11:54 GMT-03:00 Mike Hale <eyeronic.design at ...11827...>:
>>
>>> Are your Nexus switches configured with vpc?
>>> On Apr 1, 2014 7:51 AM, "Fernando Cardoso" <fcardoso at ...14432...> wrote:
>>>
>>>> Thanks Carter,
>>>>
>>>> So I need to solve the Malformed packets first, have any Idea about
>>>> this issue? My span configuration its seem ok and my OS too, I'll looking
>>>> for any misconfiguration between switch and OS (virtual machine.).
>>>>
>>>>
>>>> Fernando C>
>>>>
>>>>
>>>> 2014-04-01 10:13 GMT-03:00 Carter Waxman (cwaxman) <cwaxman at ...589...>:
>>>>
>>>>>  Hello,
>>>>>
>>>>>  It appears most of the packets in "notdecoded.pcap" are malformed
>>>>> (in particular, the IP->GRE->IP data), and the output you are seeing is
>>>>> from GRE-encapsulated non-IP data (at least this is how Wireshark and Snort
>>>>> interpret it). The packets that are malformed are simply being dropped by
>>>>> Snort.
>>>>>
>>>>>  I can't speak for your network, but somehow the length fields in the
>>>>> outer IP headers are smaller than they should be(ex. 87 —the length without
>>>>> the GRE and inner ethernet headers — instead of 115 for the first packet),
>>>>> which is why these packets are being rejected.
>>>>>
>>>>>  -Carter
>>>>>
>>>>>   From: "Russ Combs (rucombs)" <rucombs at ...589...>
>>>>> Date: Monday, March 31, 2014 11:40 AM
>>>>> To: Fernando Cardoso <fcardoso at ...14432...>, "
>>>>> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>>>>> Subject: Re: [Snort-users] ERSPAN
>>>>>
>>>>>   Can you send a pcap?
>>>>>  ------------------------------
>>>>> *From:* Fernando Cardoso [fcardoso at ...14432...]
>>>>> *Sent:* Friday, March 28, 2014 11:00 AM
>>>>> *To:* snort-users at lists.sourceforge.net
>>>>> *Subject:* [Snort-users] ERSPAN
>>>>>
>>>>>   Hello,
>>>>>
>>>>>  I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server
>>>>> to sniff ERSPAN traffic.
>>>>> Snort output show me entire packet of many different vlans but the
>>>>> source address and destination is the same configured on my switch session.
>>>>> Sniffing example running snort:
>>>>> snort -X -i eth1
>>>>>
>>>>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>>>>
>>>>>  03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
>>>>> GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
>>>>> 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00
>>>>>  .PV...T....|..E.
>>>>> 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T..@
>>>>> ../e......d
>>>>> 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01
>>>>>  6.....2N.D.k....
>>>>> 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03
>>>>>  ................
>>>>> 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00  @
>>>>> ...421.PV.r...
>>>>> 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g.@
>>>>> . at ...16759...
>>>>> 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9
>>>>>  ...........n.Q[.
>>>>> 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00
>>>>>  n..>P....]......
>>>>>                               ..
>>>>>  Where 10.199.11.1 is my source and 10.200.10.10 is my destination in
>>>>> my session configuration
>>>>>
>>>>>  When I use tools like tshark and gulp I can see the right source and
>>>>> dest not only source and dest from GRE.
>>>>>
>>>>>  My switch is a nexus 5k and my config is something like this:
>>>>>  session 1
>>>>> ---------------
>>>>> type              : erspan-source
>>>>> state             : up
>>>>> erspan-id         : 1
>>>>> vrf-name          : default
>>>>> destination-ip    : 10.200.10.10
>>>>> ip-ttl            : 255
>>>>> ip-dscp           : 0
>>>>> origin-ip         : 10.199.11.1 (global)
>>>>> source intf       :
>>>>>     rx            :
>>>>>     tx            :
>>>>>     both          :
>>>>> source VLANs      :
>>>>>     rx            : 10,50,100-150
>>>>>
>>>>>
>>>>>  My question is, can snort show the ip adress dest and source from
>>>>> decapsulated erspan like tshark and gulp?
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140402/c337df53/attachment.html>


More information about the Snort-users mailing list