Snort mailing list archives
Re: ERSPAN
From: Fernando Cardoso <fcardoso () ymail com>
Date: Mon, 31 Mar 2014 15:21:53 -0300
Hey Russ,
Follow two pcap file, one decoded and other not.
The command-line used was:
./gulp -i eth1 -d | ngrep -I - -O decoded.pcap
tcpdump -i eth1 -X -c 20 -w notdecoded.pcap
tshark can decode well, nonetheless I got many Malformed Packets
My interface configuration:
ethtool -k eth1
Features for eth1:
rx-checksumming: off
tx-checksumming: off
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: off
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: on
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
Many Thanks
2014-03-31 12:40 GMT-03:00 Russ Combs (rucombs) <rucombs () cisco com>:
Can you send a pcap?
------------------------------
*From:* Fernando Cardoso [fcardoso () ymail com]
*Sent:* Friday, March 28, 2014 11:00 AM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] ERSPAN
Hello,
I'm using Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to
sniff ERSPAN traffic.
Snort output show me entire packet of many different vlans but the source
address and destination is the same configured on my switch session.
Sniffing example running snort:
snort -X -i eth1
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00 .PV...T....|..E.
0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64 .T..@../e......d
0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01 6.....2N.D.k....
0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03 ................
0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00 @ ...421.PV.r...
0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A .k..E..(g.@.@..j
0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9 ...........n.Q[.
0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00 n..>P....]......
..
Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my
session configuration
When I use tools like tshark and gulp I can see the right source and
dest not only source and dest from GRE.
My switch is a nexus 5k and my config is something like this:
session 1
---------------
type : erspan-source
state : up
erspan-id : 1
vrf-name : default
destination-ip : 10.200.10.10
ip-ttl : 255
ip-dscp : 0
origin-ip : 10.199.11.1 (global)
source intf :
rx :
tx :
both :
source VLANs :
rx : 10,50,100-150
My question is, can snort show the ip adress dest and source from
decapsulated erspan like tshark and gulp?
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ERSPAN Fernando Cardoso (Mar 28)
- Re: ERSPAN Russ Combs (rucombs) (Mar 31)
- Re: ERSPAN Fernando Cardoso (Mar 31)
- Re: ERSPAN Russ Combs (rucombs) (Mar 31)