2. Turn off SFLOW

​

After this configuration has been applied, you will need to turn off sflow as the two features cannot work side by side, so simply turning off the data-sources is enough keep ERSPAN happy, just remember that if your exporting all that juicy sflow data to some special server.....that special server is going to go hungry whilst you perform your ERSPAN capture. Like this;

​

Nexus_9k(config)# no sflow data-source interface Ethernet1/21
Nexus_9k(config)# no sflow data-source interface Ethernet1/24
Nexus_9k(config)# no sflow data-source interface Ethernet1/35
Nexus_9k(config)# no sflow data-source interface Ethernet1/36
Nexus_9k(config)# no sflow data-source interface Ethernet1/37
Nexus_9k(config)# no sflow data-source interface Ethernet1/38
Nexus_9k(config)# no sflow data-source interface Ethernet1/39
Nexus_9k(config)# no sflow data-source interface Ethernet1/40
Nexus_9k(config)# no sflow data-source interface Ethernet1/41

​

3. Start Wireshark and filter

​

Now start up your favorite pachet capture app on your desktop and set a display filter of 'ERSPAN'

​

4. Capture packets!

 

Turn on the ERSPAN capture by 'no shutdown' under the monitor session configuration.

​

Nexus_9k(config)#
Nexus_9k(config)# mon sess 1 type erspan-source
Nexus_9k(config-erspan-src)# no shut
Nexus_9k(config-erspan-src)#

​

Now you have a bunch of packets flying though your wireshark session, capture what you want then 'shut' the feature.

​

Nexus_9k(config)#

Nexus_9k(config)# mon sess 1 type erspan-source

Nexus_9k(config-erspan-src)# shut

Nexus_9k(config-erspan-src)#

​

5. Strip the headers!

​

Now if you look closely, you will find that you have a bunch of conversations between the switch and your PC (the one running wireshark) what you are seeing is the outer GRE header, look closely at the packet;

​

​

​

​

​

​

​

​

​

In order to view the actual packets in raw form you will need to strip the ERSPAN header from the packets;

​

See my youtube video below on that;

​