ERSPAN filter

Posted: Fri Aug 24, 2012 12:59 pm
by noguano
Hello All,

When attempting to create a filter for ERSPAN GRE traffic, I didn't see ERSPAN listed in any of the protocol filter lists. I'm trying to create a filter that matches a Wireshark filter with the syntax of erspan.spanid==2. Is this possible with OmniPeek 6.8.2? GRE protocol type 0x88be is ERSPAN, and the last 10 bits of the ERSPAN wrapper is the ID. I've tried an advanced filter for GRE protocol and a value of 0x88be, but that doesn't even filter the GRE packets with the ERSPAN protocol type.


Posted: Fri Aug 24, 2012 1:42 pm
by noguano
Some additional information... I found the ERSPAN header in OmniPeek's "Extra Bytes" section in the packet view (the bottom window of the display shows the hex). After the GRE header (10 00 88 be b6 f9 55 82, where 88 be indicates ERSPAN), is the ERSPAN header of 13 88 08 68. I'm interested in the 08 68, which is 0000 1000 0110 1000 in binary, and the last 10 bits are 00 0110 1000, which indicate SPAN ID 104 (in decimal). In Wireshark, the filter syntax would be erspan.spanid==104, so I'm looking for the OmniPeek equivalent.

Posted: Mon Aug 27, 2012 8:05 am
The OmniPeek Filter Bar Syntax can be found in the User Guide starting on page 122.