6 releases
| 0.2.2 | Nov 9, 2023 |
|---|---|
| 0.2.1 | Jan 31, 2021 |
| 0.1.2 | Jan 30, 2021 |
#1132 in Network programming
23KB
363 lines
ERSPAN-RS
This is a helper library to unwraps original packet from GRE encapsulated packet. This is a handy utility for network monitoring apps receiving spanned traffic from a router in a remote destination.
The data encapsulated into a GRE packet might be SPAN data generated by Cisco or other supported routers. Encapsulated data can be delivered over TCP/IP network to a remote destination. In contrast to local SPAN port on router this is more flexible solution for network monitoring. The library enabled a Rust based service to decapsulate the original data from GRE encapsulated packet like ERSPAN.
The library was tested on ERSPAN Type II and III only on linux and Cisco router.
The entrypoint into the library is erspan_decap(packet_bytes) function that returns a Result with
either ErspanHeader header or ErspanError. The header provides details from the encapsulation packet
binary and the original_data_packet with spanned traffic from a router. The error come otherwise if the packet
is an invalid data structure.
Parsing of the ipv6erspan is not covered yet.
More documentation
- GRE packet structure and RFC see description on wikipedia
- Introduction to SPAN and remote ERSPAN
- Setting up ERSPAN on Cisco routers like Nexus 7000
- Cisco Network Analytics (aka Stealthwatch) ERPSAN decapsulation configuration guide see SNA Configuration Guide
- ERSPAN packets are supported on by Linu kernel as well, see
ip-linkman pages
Usage
See examples in the project for Type2 or Type3 ERSPAN packet unwrapping
For type 2 packet run:
cargo run --example type_2
For type 3 packet run:
cargo run --example type_3
Monitoring GRE/ERSPAN packets from local interface
cargo run --example packet_capture <interface name>
Note: the example needs libpcap to be installed on *nix systems and Mac. For Widnows installation please refer to
the libpnet's installation steps for WinPcap installation manual here
Building and testing
cargo build
cargo test
Configuring Linux machine to generate ERSPAN packets
Linux kernel has module to generate ERSPAN traffic as a copy of traffic on a local interface. Those steps shows configuration tested on Ubuntu 22 LTS for creating erspan network interface:
Creates new erspan interface reporting ERSPAN packets from 10.0.10.140 to ip 10.0.10.135 with version 2 and
session id 1 from original interface ens4
sudo ifconfig ens4 mtu 1900
sudo ip link add dev erspan mtu 1900 type erspan seq key 10 local 10.0.10.140 remote 10.0.10.135 erspan_ver 2 erspan 1 dev ens4 erspan_dir egress erspan_dir ingress
This prevents kernel from dropping packets
sudo ip link set dev erspan type erspan noiseq
Sets interface up and running
sudo ip link set erspan up
Monitoring processing traffic using tcpdump
sudo tcpdump -i erspan
Duplicating traffic from ens4 to the erspan interface
tc qdisc add dev ens4 handle ffff: ingress
tc filter add dev ens4 parent ffff: matchall skip_hw action mirred egress mirror dev erspan
Contributing
Check out our contributing guidelines for this project
License
See LICENSE
Dependencies
~3–4.5MB
~84K SLoC