This topic is to discuss the following lesson:
You say for the destination you have to specify the source IP address, but I don’t see that anywhere in the config?
Also is the GRE tunnel between the wireshark server and R1, rather than R1 and R2?
Yes, you are correct. @ReneMolenaar states that:
For the destination we have to specify:
- Source IP address: has to match with the origin IP address of the source session.
It should read:
- Source IP address, which is the same as the destination IP address of the corresponding source session
as stated in Cisco Documentaiton.
So, the Source IP address stated should be the IP address of the Wireshark PC as shown in the last line of Rene’s configuration:
I will let @ReneMolenaar know to update it.
As for the GRE tunnel, that exists only between the two routers, specifically, between the two Gi3 interfaces. Note that packets captured by the Wireshark PC do not include any of the GRE headers as these are stripped before being passed on.
I hope this has been helpful!
The Wireshark capture in the lesson shows the GRE encapsulation.
Yes I stand corrected, the GRE header is included as the tunnel used by ERSPAN.
There is also a slightly different way to configure the “sniffer” as a layer 2 device.
Many sniffers will not use a layer 3 IP address on the network to sniff traffic, they will have an IP for management, but layer 2 interfaces with no IP for capturing network traffic.
In this case you can configure the source and destination IP as a loopback on the remote router, and the destination interface as the layer 2 interface of the sniffer. In this case, the GRE header would surely be stripped on the router.
You can also combine RSPAN and ERSPAN. For example it’s possible to create a rspan vlan and then use this vlan as source for the ERSPAN session. Later you can cut off the GRE Header to get the original frame:
editcap -C 50 capture.pcap caputure_filtered.pcap
I am still lost here.
R2(config)#monitor session 1 type erspan-destination R2(config-mon-erspan-dst)#no shutdown R2(config-mon-erspan-dst)#destination interface GigabitEthernet 2 R2(config-mon-erspan-dst)#source R2(config-mon-erspan-dst-src)#erspan-id 100 R2(config-mon-erspan-dst-src)#ip address 172.16.2.200
Looking at the configuration above. I do not know how R1 sees 172.16.2.200 as the destination IP address and R2 sees same IP address as the source IP address.
I thought the source IP address from R2’s perspective should be the 172.16.12.1, IP address of R1.
secondly, you are using the tunnel source interfaces and not the tunnel interfaces in the configurations. right?
Thank you for always helping.
It seems there may be a typo in the configuration. The GRE tunnel must terminate on the routers, and in order to do so, the following must be true:
For the configuration in the source device, the
IP address command should have the destination IP where the tunnel will terminate on the other device, namely 172.16.12.2. The destination device, should have the same address configured for its
ip address command, namely 172.16.12.2. In both cases, the IP address configured was that of the wireshark device, which is incorrect. I will let @ReneMolenaar know to make the correction.
Yes, that is correct. We are not actually explicitly creating tunnel interfaces, that is being done by the mechanism itself, so we must reference the physical interfaces.
I hope this has been helpful!
Thank you Lazaros,
That makes it clear
Hye Rene and Laz,
I can’t understane why we need to configure the source IP of the wireshark server in R2 , how its going to make the ERSPAN work?
You are stating it should match the origin IP of the source, but instead you configured it to match for the destination IP that was configured on the source.