Ask Your Question

ERSPAN ID - Adding Information to captured packets

asked 2019-06-14 17:04:16 +0000

Robert121281 gravatar image

Hi Wireshark-Team,

Please allow a question regarding the following scenario:

  • I am capturing several ERSPAN sessions on one interface
  • ERSPAN header shows e.g. ID 10, or ID 20 etc.
  • I can create coloring rules that color packets with ID 10 red and other with ID 20 blue etc.

I would like to add a note to each captured packet based on the ERSPAN ID. The ERSPAN ID does (in my setup) identify on which interface this packet was monitored/captured in my infrastructure as I have one ERSPAN session for each interface to be monitored.

Is there a way to e.g. add an additional column e.g. after the Lenght and Info field in which information can be added based on the ERSPAN ID, same as the coloring, just not with coloring but adding a kind of a note to the packet line.

Thanks for your answer.

Best regards, Robert

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-06-14 22:52:54 +0000

Hi Robert,

You can click on almost any fields and make it a column.

So try to right-click on the ERSPAN ID field in the Packet Details pane and click on Apply as Column. (CTRL+SHIFT+I)



edit flag offensive delete link more



Thanks a lot. I missed that option. That already helps. I can now see for example SPAN ID 24 which as per my configuration means, switch 2 interface 4. Is there maybe somehow a way to "rewrite" this information to make it more readable, into "Switch 1 - Interface 4". Something like that. In general the SPAN ID is already good, however I run a class for students and it would be easier for them to see the SPAN ID "decoded" into the switch and interface name.

Thanks, Robert

Robert121281 gravatar imageRobert121281 ( 2019-06-15 08:17:38 +0000 )edit

That's a separate question, and should be asked separately. (This is a Q&A site - think of it as a crowdsourced FAQ - rather than a forum.)

Guy Harris gravatar imageGuy Harris ( 2019-06-15 14:04:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-06-14 17:04:16 +0000

Seen: 554 times

Last updated: Jun 15 '19