6 releases

0.2.2 Nov 9, 2023
0.2.1 Jan 31, 2021
0.1.2 Jan 30, 2021

#612 in Network programming

MIT license

363 lines


This is a helper library to unwraps original packet from GRE encapsulated packet. This is a handy utility for network monitoring apps receiving spanned traffic from a router in a remote destination.

The data encapsulated into a GRE packet might be SPAN data generated by Cisco or other supported routers. Encapsulated data can be delivered over TCP/IP network to a remote destination. In contrast to local SPAN port on router this is more flexible solution for network monitoring. The library enabled a Rust based service to decapsulate the original data from GRE encapsulated packet like ERSPAN.

The library was tested on ERSPAN Type II and III only on linux and Cisco router.

The entrypoint into the library is erspan_decap(packet_bytes) function that returns a Result with either ErspanHeader header or ErspanError. The header provides details from the encapsulation packet binary and the original_data_packet with spanned traffic from a router. The error come otherwise if the packet is an invalid data structure.

Parsing of the ipv6erspan is not covered yet.

More documentation


See examples in the project for Type2 or Type3 ERSPAN packet unwrapping

For type 2 packet run:

cargo run --example type_2

For type 3 packet run:

cargo run --example type_3

Monitoring GRE/ERSPAN packets from local interface

cargo run --example packet_capture <interface name>

Note: the example needs libpcap to be installed on *nix systems and Mac. For Widnows installation please refer to the libpnet's installation steps for WinPcap installation manual here

Building and testing

cargo build
cargo test

Configuring Linux machine to generate ERSPAN packets

Linux kernel has module to generate ERSPAN traffic as a copy of traffic on a local interface. Those steps shows configuration tested on Ubuntu 22 LTS for creating erspan network interface:

Creates new erspan interface reporting ERSPAN packets from to ip with version 2 and session id 1 from original interface ens4

sudo ifconfig ens4 mtu 1900
sudo ip link add dev erspan mtu 1900 type erspan seq key 10 local remote erspan_ver 2 erspan 1 dev ens4 erspan_dir egress erspan_dir ingress

This prevents kernel from dropping packets

sudo ip link set dev erspan type erspan noiseq

Sets interface up and running

sudo ip link set erspan up

Monitoring processing traffic using tcpdump

sudo tcpdump -i erspan

Duplicating traffic from ens4 to the erspan interface

tc qdisc add dev ens4 handle ffff: ingress
tc filter add dev ens4 parent ffff: matchall skip_hw action mirred egress mirror dev erspan


Check out our contributing guidelines for this project




~83K SLoC