IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Flow Enhancements: ERSPAN Processing and MAC Address Parsing

By Sambhav Sahoo posted 3 days ago

  

The UP13 release of QRadar introduces two practical updates to Flows. These updates address common challenges in traffic visibility and asset identification. The focus is on ERSPAN traffic handling and MAC address parsing in flow data. 

Flows represent summaries of network communications between devices. Each flow contains metadata such as source and destination IPs, ports, protocols, and other context that helps security teams understand traffic patterns. QRadar uses flow data to detect anomalies, investigate threats, and track device behavior across the network.

ERSPAN Traffic Handling

Network teams often mirror traffic from remote or virtualized environments using ERSPAN. Encapsulated Remote Switch Port Analyzer (ERSPAN) is a method that allows a network device to mirror traffic and send it over an IP network to a collector. It uses GRE (Generic Routing Encapsulation) to encapsulate the mirrored packets, making it suitable for transporting across different network segments.

Prior to UP13, QRadar could only capture the ERSPAN tunnel headers without decoding the inner packet. As a result, critical traffic content from remote sites remained inaccessible for inspection.

With the new update, QRadar can now process ERSPAN-encapsulated traffic. This change enables the system to extract and analyze mirrored packets sent over IP from remote locations.

This capability offers several advantages:

  • Network administrators can observe traffic in areas where physical sensors are not deployed, including cloud and virtual infrastructure.

  • Organizations can reduce reliance on dedicated hardware probes by forwarding mirrored traffic directly from supported devices.

  • With full access to encapsulated packet content, QRadar can perform more complete analysis for threat detection and forensic review.

MAC Address Parsing in Flow Data

MAC addresses are now extracted from incoming flow data. This applies across supported flow types. Previously, flow records in QRadar contained only IP-based identifiers. The addition of MAC-level data improves visibility at the hardware level.

The benefits of this update include:

  • Assets can be identified more consistently, even when IP addresses change due to dynamic addressing. This allows for more reliable inventory tracking and improves correlation logic.

  • MAC addresses provide a lower-level identity that can be used to detect unauthorized devices and trace movement across subnets.

  • In environments with strict segmentation, MAC-based monitoring supports policy enforcement by verifying the presence and behavior of physical devices.

Note: MAC address parsing is not currently available for J-Flow.

Summary

These updates in UP13 help address two common limitations in network monitoring. ERSPAN processing allows traffic from remote and virtualized environments to be decoded and analyzed without additional hardware. MAC address parsing adds an extra layer of device visibility to flow records.

Both updates are available as part of the UP13 release. Additional guidance for enabling and configuring these features is provided in the release documentation.

For questions or to share feedback, users can visit the IBM QRadar Community page, or submit ideas through the IBM Ideas Portal.

0 comments
13 views

Permalink

https://community.ibm.com/community/user/blogs/sambhav-sahoo/2025/08/07/flow-enhancements-erspan-processing-and-mac-addres