ceived from the net device. Second, for eBPF users, usingiproute2 to create metadata-mode ERSPAN tunnel. WitheBPF TC hook and eBPF tunnel helper functions, users canread/write ERSPAN protocols fields in finer granularity. Fi-nally, for Open vSwitch users, using the netlink interfaceto create a switch and programmatically parse, lookup, andforward the ERSPAN packets based on flows installed fromthe userspace.ERSPAN is popular in the followin use cases :•Debugging network issues by tracking the control anddata frames.•Monitoring Voice-over-IP, VoIP, packets for delay andjitter analysis•Monitoring network transactions for latency analysis•Monitoring network traffic for anomaly detectionFigure 1 shows an example setup of ERSPAN tunnels. Anetwork administrator first sets up multiple source networkdevices and filters the interested portion of the traffic he/shewants to inspect. One case on the left-most is to create theERSPAN tunnel between the Cisco switch and a traffic snif-
<------------ outer -------------> <---- inner ---- ...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Ether |IP|GRE|ERSPAN| Ether |IP| ...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Figure 2: An example of mirrored packet with outer header contain-ing the GRE and ERSPAN header, followed by the inner Ethernetframe.fer. Depending on the features in the Cisco switch, differ-ent filters can be applied to the traffic. In the middle of thefigure, for multiple virtual machines running inside a Linuxbox, the virtual switch forwarding the packet between vir-tual and physical networks can also create ERSPAN tunnelsbetween the software switch and remote traffic sniffer. Here,Open vSwitch  is an example capable of creating filtersand forwarding packets to ERSPAN tunnels. More detailedconfigurations of Open vSwitch are described in later sec-tion.The ERSPAN tunnel is represented in Linux as a net-dev and configured through iproute2 . Any packet thatis placed into its send queue will be encapsulated basedon the netdev’s ERSPAN configuration. As a result on theright-most, any other linux netdev which wants to create aERSPAN mirrored packet simply makes a copy and forwardsto the ERSPAN netdev. For example, a physical netdev canuse linux TC  with mirror action to copy a packet to theerspan tunnel.Mirrored traffic arriving at the sniffer machine needs to beable to extract and restore the original monitored frame. Todifferentiate the three use cases, the administrator can createthree ERSPAN session IDs, a configuration parameter forgrouping the mirrored traffic. For Linux users, an ERSPANtunnel can also be used at the sniffer side. Any packet ar-riving at the ERSPAN tunnel netdev’s receive queue will bedecapsulated. Tools such as Wireshark [10, 11] can be usedto inspect the mirrored packet.2.ERSPAN Protocol ImplementationThe ERSPAN protocol was developed by Cisco and its spec-ification is published at IETF draft . Figure 2 shows anexample of ERSPAN encapsulated packet, with outer headerconsisting of Ethernet header, following by IPv4/IPv6 header,following by a fixed 8-byte GRE header, and following byERSPAN header. After the ERSPAN header, the inner frame
As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.
Temple University Fox School of Business ‘17, Course Hero Intern
I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.
University of Pennsylvania ‘17, Course Hero Intern
The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.
Tulane University ‘16, Course Hero Intern
Stuck? We have tutors online 24/7 who can help you get unstuck.
Ask Expert Tutors
You can ask
You can ask
You can ask
(will expire )