diff --git a/CHANGES b/CHANGES
index a020d49faa..df1c759757 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+4.1.0-dev.328 | 2021-03-17 10:35:59 -0700
+
+  * Add tests for ERSPAN Type I patch
+
+    Co-authored-by: Markel Elorza Alvarez <melorzaalvarez@gmail.com>
+    Co-authored-by: Ivan Arrizabalaga Cupido <ivanarrcup@gmail.com> (Gorka Olalde Mendia)
+
+  * Add ERSPAN Type I patch
+
+    Co-authored-by: Markel Elorza Alvarez <melorzaalvarez@gmail.com>
+    Co-authored-by: Ivan Arrizabalaga Cupido <ivanarrcup@gmail.com> (Gorka Olalde Mendia)
 
 4.1.0-dev.323 | 2021-03-11 12:43:21 -0800
 
diff --git a/VERSION b/VERSION
index 4049270217..4d863adaf8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.1.0-dev.323
+4.1.0-dev.328
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index 6a36442b93..1f47ecc92f 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -99,13 +99,24 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 		else if ( proto_typ == 0x88be )
 			{
-			// ERSPAN type II
-			if ( len > gre_len + 14 + 8 )
+			if ( len > gre_len + 14 )
 				{
-				erspan_len = 8;
+				// ERSPAN type I
+				erspan_len = 0;
 				eth_len = 14;
 				gre_link_type = DLT_EN10MB;
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
+				bool have_sequence_header = ((flags_ver & 0x1000) == 0x1000);
+				if ( have_sequence_header )
+					{
+					// ERSPAN type II
+					erspan_len += 8;
+					if ( len < gre_len + eth_len + erspan_len )
+						{
+						Weird("truncated_GRE", packet);
+						return false;
+						}
+					}
+				proto_typ = ntohs(*((uint16_t *) (data + gre_len + erspan_len + eth_len - 2)));
 				}
 			else
 				{
diff --git a/testing/btest/Baseline/core.erspanI/conn.log b/testing/btest/Baseline/core.erspanI/conn.log
new file mode 100644
index 0000000000..db479dd329
--- /dev/null
+++ b/testing/btest/Baseline/core.erspanI/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.133.2	8	172.217.11.78	0	icmp	-	0.014360	280	280	OTH	-	-	0	-	5	420	5	420	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.erspanI/tunnel.log b/testing/btest/Baseline/core.erspanI/tunnel.log
new file mode 100644
index 0000000000..173855a536
--- /dev/null
+++ b/testing/btest/Baseline/core.erspanI/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.1	0	192.168.1.2	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/erspanI.pcap b/testing/btest/Traces/erspanI.pcap
new file mode 100644
index 0000000000..f137d40a19
Binary files /dev/null and b/testing/btest/Traces/erspanI.pcap differ
diff --git a/testing/btest/core/erspanI.zeek b/testing/btest/core/erspanI.zeek
new file mode 100644
index 0000000000..15336c8853
--- /dev/null
+++ b/testing/btest/core/erspanI.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/erspanI.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn