Hoping to see if someone has gotten Zeek to work with ERSPAN span sessions.
I am doing ERSPAN from a Cisco Nexus switch to a VMware host. I can see the traffic at the host and do tcpdump captures without any problems.
When attempting to use Zeek (3.0 or 2.6.3) all I get is entries in the weird log for the ERSPAN traffic.
I noticed someone previously posting about it may be a GRE type issue, and that it appears someone modified a source file to get things to work.
Here is the frame/packet header info from the ERSPAN traffic from the Nexus 9k.
As you can see it is type 0x88be
I have used Zeek quite a bit in the past with regular SPAN sessions and TAPs, but having the capability to use ERSPAN would be a great benefit of being able to pull in traffic from many sections of the network without having to worry about the physical device requirements of regular SPAN and TAPS.
I utilize ERSPAN quite a bit with tshark/wireshark for being able to capture just the traffic I care about in a datacenter.