Hello team,
with ERSPAN [one ERSPAN session], if the packet is captured twice on the same switch, ingress and egress, I trust both should be sent to the ERSPAN destination [which is windows with wireshark].
I see the packet only one time, could it be the wireshark is hiding packet to avoid duplicate? is there a way to show it?
If there is only one ingress mirror and one egress mirror then there should be only one packet, e.g. ingress would be only traffic from the local computer and egress would be only traffic from the WAN. A 1G full-duplex port has the capacity of simultaneous of 1G ingress traffic and 1G egress traffic. There is the possibility that the mirrored ingress and egress traffic could exceed the monitoring port.
Unless you have used a filter you should see all packets.
Asked: 2021-08-06 13:50:49 +0000
Seen: 354 times
Last updated: Aug 06 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
source intf,rx?tx? both?