tshark

Nifty filters :

ErSpanID : ether[44:2] contains the erspan id – and some other useless info, the id is in the last 10 bits, so we use a mask.

mask 10 last bits of the two bytes : 0000 0011 1111 1111 = 0x3FF

Thus the expression becomes : (ether[44:2] & 0x3FF == 0x129) will match any packets where the ErSpanID = 297

So the filter is applied thus : tshark -i eth0 -f “(ether[44:2] & 0x3FF == 0x129)”