1 | initial version |
Even though there are no BPF filter keywords related to vxlan (yet?), this does not mean you can't filter for the overlay IP addresses. When I look at an example vxlan pcap file, I see the following headers:
Frame 3: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
Ethernet II, Src: 08:00:27:ae:4d:62, Dst: 08:00:27:f2:1d:8c
Internet Protocol Version 4, Src: 192.168.56.11, Dst: 192.168.56.12
User Datagram Protocol, Src Port: 48134, Dst Port: 4789
Virtual eXtensible Local Area Network
Ethernet II, Src: ba:09:2b:6e:f8:be, Dst: 4a:7f:01:3b:a2:71
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
Internet Control Message Protocol
If I want do filter on the source IP address of the overlay (10.0.0.1 in this example), I can base my search on the ethernet layer by adding the length of each header.
In other words, you need to look at position 76 (=14+20+8+8+14+12) for 4 bytes that contain the value 0x0a000001 (10.0.0.1 as a 32 bit integer in hex notation). This results in the filter ether[76:4] = 0x0a000001
:
$ tcpdump -nnlr vxlan.pcap "ether[76:4]=0x0a000001"
reading from file vxlan.pcap, link-type EN10MB (Ethernet)
17:20:32.676047 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 1, length 64
17:20:33.677322 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 2, length 64
17:20:34.678483 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 3, length 64
17:20:35.680481 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 4, length 64
$
For the destination address, the offset in the overlay IP header is 16 instead of 12, so filtering for the IP address 10.0.0.1 within the overlay network would result in ether[76:4] = 0x0a000001 or ether[80:4] = 0x0a000001
.
Hope this helps, if it does not work in your situation, please post a small pcap file on one of the public filesahring services like onedrive, dropbox, etc and paste the link here so I can help you create a working capture filter.