![]() ![]() If for some reason we do not want to install special software that dissects packets from GRE tunnel we can configure GRE tunnel on ERSPAN destination (Linux Security Onion) and let IDS to listen on a tunneled interface. Configuring GRE tunnel on ERSPAN Destination Device #Murgee auto clicker mac softwareHowever if we want software application such as IPS/IDS to analyze encapsulated packets, the outer L2 and 元 headers must be striped from packet. This can be done with tools such as RCDCAP which dissects packets from GRE tunnel.Ģ. It allows encapsulated traffic to be forwarded through network to ERSPAN destination. #Murgee auto clicker mac macPicture 2 - Encapsulated GRE Traffic Captured on Interface Eth1Īn original ICMP packet is encapsulated into GRE tunnel and the new outer MAC and IPv4 + GRE + ERSPAN headers are added to original packets. MAC header + IPv4 header (10.230.10.2, 10.230.10.1) + GRE header (Protocol type ERSPAN) + ERPAN header + (original packet) If the source ERSPAN is properly configured on router, packets from the subnet 192.168.1.0/24 should appear in Wireshark output.Ī closer look at the picture below reveals that the original packet ICMP packet (MAC header, IPv4 header and ICMP header) is now encapsulated as following. Now use Wireshark to capture GRE traffic on Security Onion on its interface eth1 and ping the router IP address 192.168.1.2 from the Linux Core host (IP 192.168.1.1). We are going to capture and analyze ERSPAN traffic with Wireshark packet sniffer. First configure IP address 10.230.10.1 on interface eth1 of the Linux Security sudo i p address add 10.230.10.1/24 dev eth1 You also must issue the command no shutdown after the command monitor session 1 type erspan-source in order to activate session.ġ. The interface Gi1 is being monitored and the GRE traffic is sent to ERSPAN destination address IP 10.230.10.1.ĬSR1000v# show running-config | b monitor This is the source ERSPAN type and with configured rspan_id 1. Security Onion is a unique Linux distro for intrusion detection, network security monitoring, and log management based on Ubuntu however any other Linux distro can be used.īelow is an example of ERSPAN configuration on the CSR 1000v router. It is the IP address of the ERSPAN destination configured on Linux Security Union. The router is configured to monitor traffic on the port Gi1 and it sends traffic encapsulated in GRE tunneling protocol to IP address 10.230.10.1. Core Linux represents a network host and generates network traffic (ICMP) that is going to be monitored. It is connected to the port GigabitEthernet1 of the Cisco router. For this purpose I have built simple lab that consists of a Cisco CSR 1000v router and two Linux boxes. The goal of this article is to show methods and tools for decapsulation of ERSPAN traffic. It might be another Cisco device or Linux with installed software that can decapsulate GRE traffic. Any device that supports ERSPAN can be used as ERSPAN destination. Traffic is encapsulated into GRE tunnel and routed via network to ERSPAN destination. Cisco Encapsulated Remote SPAN (ERSPAN) feature allows to monitor traffic on one or more ports and send the monitored traffic to one or more destination ports. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |