Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-07-17 21:32:50 +0000

SYN-bit gravatar image

Even though there are no BPF filter keywords related to vxlan (yet?), this does not mean you can't filter for the overlay IP addresses. When I look at an example vxlan pcap file, I see the following headers:

Frame 3: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
Ethernet II, Src: 08:00:27:ae:4d:62, Dst: 08:00:27:f2:1d:8c
Internet Protocol Version 4, Src: 192.168.56.11, Dst: 192.168.56.12
User Datagram Protocol, Src Port: 48134, Dst Port: 4789
Virtual eXtensible Local Area Network
Ethernet II, Src: ba:09:2b:6e:f8:be, Dst: 4a:7f:01:3b:a2:71
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
Internet Control Message Protocol

If I want do filter on the source IP address of the overlay (10.0.0.1 in this example), I can base my search on the ethernet layer by adding the length of each header.

  • 14 bytes to skip the underlay ethernet header
  • 20 bytes to skip the underlay IP header
  • 8 bytes to skip the UDP header
  • 8 bytes to skip the VXLAN header
  • 14 bytes to skip the overlay ethernet header
  • 12 bytes to point to the IP source address in the overlay IP header

In other words, you need to look at position 76 (=14+20+8+8+14+12) for 4 bytes that contain the value 0x0a000001 (10.0.0.1 as a 32 bit integer in hex notation). This results in the filter ether[76:4] = 0x0a000001:

$ tcpdump -nnlr vxlan.pcap "ether[76:4]=0x0a000001"
reading from file vxlan.pcap, link-type EN10MB (Ethernet)
17:20:32.676047 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 1, length 64
17:20:33.677322 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 2, length 64
17:20:34.678483 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 3, length 64
17:20:35.680481 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 4, length 64
$

For the destination address, the offset in the overlay IP header is 16 instead of 12, so filtering for the IP address 10.0.0.1 within the overlay network would result in ether[76:4] = 0x0a000001 or ether[80:4] = 0x0a000001.

Hope this helps, if it does not work in your situation, please post a small pcap file on one of the public filesahring services like onedrive, dropbox, etc and paste the link here so I can help you create a working capture filter.