OmniPeek Support

ERSPAN filter

noguano
Posts: 2
Joined: Fri Aug 24, 2012 12:38 pm

ERSPAN filter

Postby noguano » Fri Aug 24, 2012 12:59 pm

Hello All,

When attempting to create a filter for ERSPAN GRE traffic, I didn't see ERSPAN listed in any of the protocol filter lists. I'm trying to create a filter that matches a Wireshark filter with the syntax of erspan.spanid==2. Is this possible with OmniPeek 6.8.2? GRE protocol type 0x88be is ERSPAN, and the last 10 bits of the ERSPAN wrapper is the ID. I've tried an advanced filter for GRE protocol and a value of 0x88be, but that doesn't even filter the GRE packets with the ERSPAN protocol type.

Thanks!

noguano
Posts: 2
Joined: Fri Aug 24, 2012 12:38 pm

RE: ERSPAN filter

Postby noguano » Fri Aug 24, 2012 1:42 pm

Some additional information... I found the ERSPAN header in OmniPeek's "Extra Bytes" section in the packet view (the bottom window of the display shows the hex). After the GRE header (10 00 88 be b6 f9 55 82, where 88 be indicates ERSPAN), is the ERSPAN header of 13 88 08 68. I'm interested in the 08 68, which is 0000 1000 0110 1000 in binary, and the last 10 bits are 00 0110 1000, which indicate SPAN ID 104 (in decimal). In Wireshark, the filter syntax would be erspan.spanid==104, so I'm looking for the OmniPeek equivalent.

DJWP
Posts: 687
Joined: Tue Oct 30, 2007 11:42 am

RE: RE: ERSPAN filter

Postby DJWP » Mon Aug 27, 2012 8:05 am

The OmniPeek Filter Bar Syntax can be found in the User Guide starting on page 122.


Return to “OmniPeek Support”

Who is online

Users browsing this forum: No registered users and 7 guests