 | 1 | initial version |
We care far more about when a packet transited the ERSPAN source device than when it arrived at the packet capture endpoint.
And somebody debugging issues with the ERSPAN mechanism might care about the time stamps when the ERSPAN packet is transmitted or received.
What might be useful 1) a mechanism in Wireshark by which a packet can change the displayed time stamps in the time stamp column and the frame part of the packet details and 2) per-protocol preferences to control whether a dissector should override the capture file timestamp or not.
(And what might be useful in libpcap is a way to receive the GRE packets from a machine using ERSPAN and de-encapulate them, so you just directly to an ERSPAN capture in tcpdump or Wireshark or....)
