This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ERSPAN Tap port on decoder from multiple ESX Hosts

RSAAdmin
Beginner
Beginner

‎2014-03-12 12:09 AM

Hello Everyone,

 

We are installing the All-In-One Netwitness virtual appliance suite and I'd like the Decoder to be able to be vmotioned to/from any one of three ESX 5.5 hosts. The span port will be a L3 Mirror port created on our VDS (Virtual Distributed Switch) and this basically encapsulates all mirror/span traffic from selected VMWare guests into GRE packets which are routed to our Decoder (Not a high volume TAP environment). This allows the Decoder to be Vmotioned from Host to Host however at the moment the traffic arrives encapsulated in GRE. What would be the best way to remove the GRE headers on the Decoder before the traffic actually enters the Decoder for processing?

 

Many thanks

0 Likes
3 REPLIES 3

RichardB
Frequent Contributor
Frequent Contributor

‎2020-03-30 08:34 AM

I know this is an old question but it came up when I searched for ERSPAN. I'm hoping a NetWitness 11.4 Decoder will process the data inside a GRE tunnel. Can anyone confirm or deny this feature?

0 Likes

RafaelSampaio
Contributor Contributor
Contributor

‎2020-03-31 08:46 AM

This may help you Virtual Host Setup: Step 4. Configure Host-Specific Parameters 

Virtual taps encapsulate the captured traffic in a GRE tunnel. Depending on the type you choose, either of these scenarios may apply:

  • An external host is required to terminate the tunnel, and the external host directs the traffic to the Decoder interface.
  • The tunnel send traffic directly to the Decoder interface, where NetWitness Platform handles the de-encapsulation of the traffic.

RichardB
Frequent Contributor
Frequent Contributor
In response to RafaelSampaio

‎2020-03-31 11:49 AM

Thanks! With the help of support I have also found the VlanGRE parser that is used to decapsulate the GRE traffic. My only question now is if this parser supports the GRE protocol types from RFC1701 only or if the ERSPAN protocol types 0x88BE and 0x22EB are also supported. See https://tools.ietf.org/html/rfc1701 and https://tools.ietf.org/html/draft-foschiano-erspan-03

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.