This is very handy for quick analysis of stuff that's not L2 adjacent with an analysis station.
First, create a local mirror session:
mirroring-group 1 local
Next configure an unused physical interface for use by tunnel interfaces:
service-loopback group 1 type tunnel
interface <unused-interface>
port service-loopback group 1
quit
Now configure a GRE tunnel interface as the destination for the mirror group:
interface Tunnel0 mode gre
source <whatever>
destination <machine running wireshark>
mirroring-group 1 monitor-port
quit
Finally, configure the source interface(s):
interface <interesting-source-interface-1>
mirroring-group 1 mirroring-port inbound
interface <interesting-source-interface-2>
mirroring-group 1 mirroring-port inbound
Traffic from the source interfaces arrives at the analyzer with extra Ethernet/IP/GRE headers attached. Inside each GRE payload is the original frame as collected at a mirroring-group source interface. If the original traffic with extra headers attached (14+20+4 == 38 bytes) exceeds MTU, then the switch fragments the frame. Nothing gets lost and Wireshark handles it gracefully.
This was a fantastic write up -- even with my RTFM-fu, the comware manuals did not make this evident. Thanks!!
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteDo you know of way to strip the GRE header off?
ReplyDeleteNice, but only the datacenter series of HPE switches (FlexFabric series) supports tunnels command. ("interface tunnelx ..").
ReplyDeleteThe access series switches (FlexNetwork series) does not support it.
The article is misleading!
Sorry you feel misled, Anon. I'll process your refund immediately.
Delete