ERSPAN ID - Adding Information to captured packets

asked 2019-06-14

Robert121281

Hi Wireshark-Team,

Please allow a question regarding the following scenario:

  • I am capturing several ERSPAN sessions on one interface
  • ERSPAN header shows e.g. ID 10, or ID 20 etc.
  • I can create coloring rules that color packets with ID 10 red and other with ID 20 blue etc.

I would like to add a note to each captured packet based on the ERSPAN ID. The ERSPAN ID does (in my setup) identify on which interface this packet was monitored/captured in my infrastructure as I have one ERSPAN session for each interface to be monitored.

Is there a way to e.g. add an additional column e.g. after the Lenght and Info field in which information can be added based on the ERSPAN ID, same as the coloring, just not with coloring but adding a kind of a note to the packet line.

Thanks for your answer.

Best regards, Robert

answered 2019-06-14

Hi Robert,

You can click on almost any fields and make it a column.

So try to right-click on the ERSPAN ID field in the Packet Details pane and click on Apply as Column. (CTRL+SHIFT+I)



Thanks a lot. I missed that option. That already helps. I can now see for example SPAN ID 24 which as per my configuration means, switch 2 interface 4. Is there maybe somehow a way to "rewrite" this information to make it more readable, into "Switch 1 - Interface 4". Something like that. In general the SPAN ID is already good, however I run a class for students and it would be easier for them to see the SPAN ID "decoded" into the switch and interface name.

Thanks, Robert

Robert121281 ( 2019-06-15 )

That's a separate question, and should be asked separately. (This is a Q&A site - think of it as a crowdsourced FAQ - rather than a forum.)

Guy Harris ( 2019-06-15 )

