How to decode ERSPAN-without-a-header in Wireshark 2.6 and later?
Hello everyone,
I'm looking for erspan decoding with my pcap capture. I was doing the classical Protocols -> ERSPAN -> Force decode for that purpose, but it seems not present in wireshark anymore. It might be located somewhere else ? But I haven't find any documentation about that change. I tried decoding with my wireshark 2.6.6. (I also opened my capture, and it is not decoded : Was thinking that it could be natively enabled with last releases)
Thanks in advance,
Yoann
All that preference does is to force the ERSPAN dissector to assume the packet doesn't begin with an ERSPAN header. It does not, in Wireshark 2.4, force packets to be dissected as ERSPAN.
What does "not decoded" mean?
Thanks for your reply. I was blinded by the pcap in general. I’m seeing one packet between each erspan (icmp) from source erspan to my station. It’s an erspan type 1 (deprecated by rfc). I’d like to have a pcap which is more simple without having filtering the file
I can correctly see stuff from my source device which encapsulate data to my device
Yoann