On Wed, 2011-10-19 at 16:40 +0100, Phil Mayers wrote: > Are you aware of "gulp"? > > http://staff.washington.edu/corey/gulp/ > > ...which (amongst other neat features) has a "-d" option to decapsulate > ERSPAN and output pcap, like so: > > gulp -i eth0 -d | tcpdump -n -r -
I wasn't actually, it does look nice. It actually just strips the first 50 bytes from GRE packets, but that fits the purpose here. The buffering takes some getting used to visually, but I guess that's the point of gulp. :-) > I should also mention that wireshark now "knows" about ERSPAN; you can > just point it at a machine and have wireshark extract the inner packets. Wireshark and I never became friends for some reason. I've used it on some occasions where the time-limit feature was useful. > In my experience, once the SPAN stuff has gone screwy, you need a reload > or a TAC engineer to poke at ASIC registers. Yeah, and the time invested in that (via shared support) is probably not worth it. We of course built all PoPs so any one P/PE can be reloaded without user impact, with proper preparations of course, so I think that's what we'll do. Hopefully it's not a symptom of some other problem with the device... -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
