Cisco remote capture wireshark mac1/19/2023 ![]() ![]() Unlike Cisco RSPAN, HP ERM encapsulates the frames to be mirrored inside UDP datagrams with a proprietary header, allowing it to be transported over any IP network (like Cisco ERSPAN) HP ERM, Hewlett-Packard Encapsulated Remote Mirror protocol is used by the HPE (Hewlett-Packard Enterprise) switches based on ProVision ASICs formerly of the ProCurve family, now branded under Aruba Networks, a Hewlett Packard Enterprise company. You could also choose from the menu Analyze > Decode As…Ĭhange the column Current from (none) to HP_ERM from the drop down list and choose OK. Just right click on a packet and choose the option “Decode As…”. So the final step is to decode the traffic. The packets are encoded as HP ERM packets. WireShark displays packets like below, which are useless to analyse traffic. Now start WireShark on the remote host and create a capture filter to capture only packets for port UDP/10999. Traffic from port 4/3 is now send to the remote host. No-tag-added Don’t add VLAN tag for this untagged-port Next you need to configure the interface for which you would like to analyse the traffic.ĪSW-C01(eth-4/3)# monitor all both mirror 1 Has the remote switch been configured (y/n)? y The destination switch must be configured before proceeding. Truncation Enable truncation for Remote mirroring. IP-ADDR Remote mirroring UDP encapsulation destination ip addr.ĪSW-C01(config)# mirror 1 remote ip 172.18.9.2 10999 172.18.11.233 Remote mirroring UDP encapsulation port.ĪSW-C01(config)# mirror 1 remote ip 172.18.9.2 10999 Ip Remote mirroring destination configuration.ĪSW-C01(config)# mirror 1 remote ip 172.18.9.2 Remote Remote mirroring destination configuration. Port Mirroring destination monitoring port. ![]() In this case the switch is using IP adres 172.18.9.3 with source port UDP/10999 and the remote host has IP adres 172.18.11.233.Įndpoint Remote mirroring destination configuration. ![]() Use the following commands to create a monitor session to a remote host. When the remote host is running WireShark, the monitored traffic can be analysed on the remote host.įirst you need to configure the switch to send a copy of the traffic to a remote host. You also have the option to send the monitor traffic to a remote switch or even to a remote host. AOS switches have the option to monitor / copy traffic from port A to port B. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |