Wireshark-dev: Re: [Wireshark-dev] Wireshark ProCurve ERSPAN Support
From: Tim Durack <tdurack@xxxxxxxxx>
Date: Wed, 13 Jan 2010 19:07:39 -0500
On Wed, Jan 13, 2010 at 11:37 AM, Bill Meier <wmeier@xxxxxxxxxxx> wrote:
> Let me see if I understand your request:
>
> 1. By "remote packet capture"  I expect you mean the use of the "remote
> traffic mirroring" capability as described in the ProCurve "Management
> and Configuration Guide". Is this correct ?

Yes.

> 2. It sounds like you want to capture/decode the ProCurve remote traffic
> mirroring frames being sent on the network as opposed to using Wireshark
> to capture the mirrored traffic on the "exit port" of a "remote switch".

Correct.

> A question: (I'm kinda new to this stuff). What is gained by capturing
> the encapsulated traffic as opposed to just capturing the traffic on the
> "exit port" ?

I can direct the ERSPAN traffic at a remote monitoring station, and
perform the capture/analysis right there. Wireshark understands Cisco
ERSPAN, which allows me to capture and decode the encapsulated capture
directly.

> In any case, a starting point would be to post a small capture
> containing the encapsulated remote capture packets.

That I can do.

> I suggest opening a enhancement request on bugs.wireshark.org and
> attaching the capture file to to the request.

Thanks for the suggestion, will do so.

Tim:>