Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ERSPAN on Linux





The IPv4 ERSPAN option was added to the Linux kernel in 4.14 and it is based on existing kernel modules. It allows machines to act as an ERSPAN traffic source sending the ESPAN encapsulated mirrored traffic to the remote host.

It requires only the iproute2 package which is generally part of all modern distributions.

This functionality allows us to mirror the incoming/outgoing traffic of a machine to the Flowmon monitoring interface with configured ERSPAN decapsulation. For example in AWS, inter-region and availability zone traffic isn’t charged and this can allow free network monitoring for a certain server.


Product: Flowmon Probe

Version: Any

Platform: Any

Question/Problem Description:


Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

Root permissions for the source machine are required. This approach has been tested on Debian 12 with kernel 6.1.0-11.

ERSPAN mirroring can be configured with these commands (run on the machine whose traffic should be mirrored, not on the Flowmon appliance):

ip link add dev myerspan type erspan seq key 30 local remote erspan_ver 1 erspan 123
tc qdisc add dev ens192 handle ffff: ingress
tc filter add dev ens192 parent ffff: matchall skip_hw action mirred egress mirror dev myerspan
ifup myerspan
  • "myerspan" is the name of the ERSPAN interface,
  • is the source address of the local machine,
  • is an ERSPAN destination IP configured on the Flowmon monitoring interface,
  • ens192 is the network interface whose traffic should be mirrored to the Flowmon monitoring interface.

A black and white text

Description automatically generated with medium confidence

The monitoring port of the Flowmon appliance has to have an IP address configured and ERSPAN decapsulation has to be enabled there.


Was this article helpful?
0 out of 0 found this helpful