We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

470 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. You say for the destination you have to specify the source IP address, but I don’t see that anywhere in the config?

    Also is the GRE tunnel between the wireshark server and R1, rather than R1 and R2?


  2. Hello Chris.

    Yes, you are correct. @ReneMolenaar states that:

    For the destination we have to specify:

    • Source IP address: has to match with the origin IP address of the source session.

    It should read:

    • Source IP address, which is the same as the destination IP address of the corresponding source session

    as stated in Cisco Documentaiton.

    So, the Source IP address stated should be the IP address of the Wireshark PC as shown in the last line of Rene’s configuration:


    ... Continue reading in our forum

  3. Hello Micah

    Yes I stand corrected, the GRE header is included as the tunnel used by ERSPAN.



  4. There is also a slightly different way to configure the “sniffer” as a layer 2 device.

    Many sniffers will not use a layer 3 IP address on the network to sniff traffic, they will have an IP for management, but layer 2 interfaces with no IP for capturing network traffic.

    In this case you can configure the source and destination IP as a loopback on the remote router, and the destination interface as the layer 2 interface of the sniffer. In this case, the GRE header would surely be stripped on the router.

  5. You can also combine RSPAN and ERSPAN. For example it’s possible to create a rspan vlan and then use this vlan as source for the ERSPAN session. Later you can cut off the GRE Header to get the original frame:

    editcap -C 50 capture.pcap caputure_filtered.pcap

1 more reply! Ask a question or join the discussion by visiting our Community Forum