#!/bin/bash # Use erspan-capture (expected to be in path) to capture ERSPAN data # and serve it to tcpdump. This script automatically adds "-n -n" to # the tcpdump options! # # Usage: # remotedump [-i ] [-v ] [-r ] [tcpdump options ...] # # -i/--erspanid Only accept packets with this ERSPAN ID # -v/--vlan Only accept packets with thie VLAN ID # -r/--remote-peer Only accept packets from this source address # # Beware that these options are already used by tcpdump, so # they have to appear in the beginning. The first unrecognized # option and all following options are passed to tcpdump. # # Example ERSPAN configuration: # # monitor session 1 type erspan-source # source interface GigabitEthernet4/4 # destination # erspan-id 10 # ip address 192.0.2.10 # origin ip address 198.51.100.1 # no shutdown # exit # ! # # Assuming Gi4/4 carries packets from VLAN 238 you could use # # remotedump -i 10 -v 238 -r 198.51.100.1 -c 10 # # Where "-c 10" is the first tcpdump option. ERSPANID="" REMOTE_PEER="" while true ; do case $1 in --erspanid|-i) if [ -n "$2" -a -z "${2//[0-9]}" ]; then ERSPANID="-i $2" shift 2 else echo "--erspanid/-i expects a numeric argument" >&2 exit 1 fi ;; --remote-peer|-r) if [ -n "$2" -a -z "${2//[0-9.]}" ]; then REMOTE_PEER="-r $2" shift 2 else echo "--remote-peer/-r expects an IP address" >&2 exit 1 fi ;; --vlan|-v) if [ -n "$2" -a -z "${2//[0-9]}" ]; then VLAN_ID="-v $2" shift 2 else echo "--vlan/-v expects a VLAN ID" >&2 exit 1 fi ;; *) break ;; esac done erspan-capture $ERSPANID $REMOTE_PEER $VLAN_ID | tcpdump -r - -nn $@