On Wed, Jan 13, 2010 at 11:37 AM, Bill Meier <wmeier@xxxxxxxxxxx> wrote:
> Let me see if I understand your request:
>
> 1. By "remote packet capture" I expect you mean the use of the "remote
> traffic mirroring" capability as described in the ProCurve "Management
> and Configuration Guide". Is this correct ?
Yes.
> 2. It sounds like you want to capture/decode the ProCurve remote traffic
> mirroring frames being sent on the network as opposed to using Wireshark
> to capture the mirrored traffic on the "exit port" of a "remote switch".
Correct.
> A question: (I'm kinda new to this stuff). What is gained by capturing
> the encapsulated traffic as opposed to just capturing the traffic on the
> "exit port" ?
I can direct the ERSPAN traffic at a remote monitoring station, and
perform the capture/analysis right there. Wireshark understands Cisco
ERSPAN, which allows me to capture and decode the encapsulated capture
directly.
> In any case, a starting point would be to post a small capture
> containing the encapsulated remote capture packets.
That I can do.
> I suggest opening a enhancement request on bugs.wireshark.org and
> attaching the capture file to to the request.
Thanks for the suggestion, will do so.
Tim:>