Created
March 11, 2025 20:47
-
-
Save renini/edc40754efaa450d2cfc8cb069f59bb6 to your computer and use it in GitHub Desktop.
Create ERSPAN Type I Frame in PCAP to review bug in viewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import * | |
| from scapy.contrib.erspan import ERSPAN_I # Import ERSPAN Type I from Scapy | |
| import time # To use the current time or custom timestamp | |
| # Outer Ethernet and IP header (ERSPAN transport) | |
| outer_eth = Ether(src="00:11:22:33:44:55", dst="66:77:88:99:AA:BB") | |
| outer_ip = IP(src="192.168.1.100", dst="192.168.2.200", ttl=64) | |
| # GRE header with ERSPAN (protocol 0x88BE) | |
| gre_header = GRE(proto=0x88BE) | |
| # ERSPAN Type I Header (just using the ERSPAN_I class without custom fields) | |
| erspan_header = ERSPAN_I() # Default, using the simple ERSPAN Type I header | |
| # Encapsulated (mirrored) TCP packet | |
| inner_eth = Ether(src="00:e0:1c:3c:17:c2", dst="00:1f:33:d9:81:60") | |
| inner_ip = IP(src="10.10.1.4", dst="74.53.140.153") | |
| inner_tcp = TCP(sport=1470, dport=25, flags="S") # SYN from 1470 to 25 | |
| # Construct the full ERSPAN packet | |
| erspan_packet = outer_eth / outer_ip / gre_header / erspan_header / inner_eth / inner_ip / inner_tcp | |
| # Specify the timestamp (in seconds since epoch) | |
| custom_timestamp = 1254722768.565386000 # Custom timestamp | |
| erspan_packet.time = custom_timestamp | |
| # Save to PCAP file | |
| pcap_filename = "erspan_type_i.pcap" | |
| wrpcap(pcap_filename, erspan_packet) | |
| print(f"✅ ERSPAN Type I packet saved to {pcap_filename} with timestamp {custom_timestamp}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment