Users Guide
As seen in the above figure, the packets received/transmitted on Port A will be encapsulated with an IP/GRE header plus a new
L2 header and sent to the destination ip address (Port D’s ip address) on the sniffer. The Header that gets attached to the
packet is 38 bytes long.
If the sniffer does not support IP interface, a destination switch will be needed to receive the encapsulated ERPM packet and
locally mirror the whole packet to the Sniffer or a Linux Server.
Decapsulation of ERPM packets at the Destination IP/ Analyzer
● In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested :
1. Using Network Analyzer
○ Install any well-known Network Packet Analyzer tool which is open source and free to download.
○ Start capture of ERPM packets on the Sniffer and save it to the trace file (for example : erpmwithheader.pcap).
○ The Header that gets attached to the packet is 38 bytes long. In case of a packet with L3 VLAN, it would be 42 bytes
long. The original payload /original mirrored data starts from the 39
th
byte in a given ERPM packet. The first 38/42
bytes of the header needs to be ignored/ chopped off.
○ Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and
chop the ERPM header part and save it to a new trace file. This new file (i.e. the original mirrored packet) can be
converted back into stream and fed to any egress interface.
2. Using Python script
○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the
server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one
interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface.
○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from
the bit where GRE header ends. Basically all the bits after 0x88BE need to be removed from the packet and sent out
through another interface.
○ This script erpm.zip is available for download at the following location: https://en.community.dell.com/techcenter/
networking/m/force10_networking_scripts/20438882.aspx
○ Unzip the erpm.zip and copy the erpm.py file to the Linux server.
○ Run the python script using the following command:
python erpm.py -i <ingress interface> -o <egress interface>
erpm.py : This is the script downloaded from the script store.
<Ingress interface> : Specify the interface id which is connected to the mirroring port or this should be interface whose ip
address has been specified as the destination ip address in the ERPM session.
<Egress interface> : Specify another interface on the Linux server via which the decapsulation packets can Egress. In case
there is only one interface, the ingress interface itself can be specified as Egress and the analyzer can listen in the tx direction.
Port Monitoring on VLT
Devices on which VLT is configured are seen as a single device in the network. You can apply port monitoring function on the
VLT devices in the network.
Port monitoring enables ingress or egress traffic traversing on a port to be sent to another port so that the traffic can be
analyzed. The port to which traffic is sent for analysis is called the mirroring port. This port is connect to a port analyzer, which
performs the traffic analysis function.
Depending up on the location of the port to which the port analyzer is connected, port monitoring is classified into three
categories: local Port mirroring, remote port mirroring (RPM), and encapsulated remote port mirroring (ERPM).
In VLT RPM, Dell EMC Networking OS supports only 3 Mirror-to-Port (MTPs) in hardware.
By default, 2 MTPs are used for ICL lag in VLT. The remaining one MTP is used to mirror only in one direction, either rx or tx.
Port Monitoring
665