Sniffing VXLAN traffic

asked 2019-07-17 13:38:20 +0000

artifex
1 ●1 ●1 ●1

Hi,

I'm trying to use tcpdump, wireshark and tshark for sniffing traffic on a computer that the traffic that arrives at its sniffing interface is encapsulated using VXLAN technology.

When I use tcpdump, I see this:

$ sudo tcpdump -nvi ens6
13:23:01.393991 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 134)
    172.31.81.89.65513 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x0, ttl 64, id 56020, offset 0, flags [DF], proto ICMP (1), length 84)
    172.31.81.89 > 8.8.8.8: ICMP echo request, id 12900, seq 6673, length 64
13:23:01.394458 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 134)
    172.31.81.89.65513 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x0, ttl 48, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 172.31.81.89: ICMP echo reply, id 12900, seq 6673, length 64
13:23:01.394626 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 202)
    172.31.81.89.65422 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x10, ttl 64, id 26689, offset 0, flags [DF], proto TCP (6), length 152)

and if I try to run the same command with a filter like "icmp" like this $ sudo tcpdump -nvi ens6 icmp

I get no packets at all.

When I try to capture with Wireshark/tshark I get similar results: When I don't use any filter I get the packets (unfiltered of-course), When I use a BPF filter I get no packets at all but if I use a display filter I get the relevant packets like so:

$ sudo tshark -i ens6 -Y icmp
Capturing on 'ens6'
    1 0.000000000 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7129/55579, ttl=64
    2 0.000452969      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7129/55579, ttl=48 (request in 1)
    5 1.024059193 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7130/55835, ttl=64
    6 1.024461234      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7130/55835, ttl=48 (request in 5)
    9 2.048086984 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7131/56091, ttl=64
   10 2.048495747      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7131/56091, ttl=48 (request in 9)
^C6 packets captured

Do you know of a way to get the filtered traffic even when using the BPF filter? I know that using the display filter is considered memory ... (more)

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-07-17 21:32:50 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

Even though there are no BPF filter keywords related to vxlan (yet?), this does not mean you can't filter for the overlay IP addresses. When I look at an example vxlan pcap file, I see the following headers:

Frame 3: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
Ethernet II, Src: 08:00:27:ae:4d:62, Dst: 08:00:27:f2:1d:8c
Internet Protocol Version 4, Src: 192.168.56.11, Dst: 192.168.56.12
User Datagram Protocol, Src Port: 48134, Dst Port: 4789
Virtual eXtensible Local Area Network
Ethernet II, Src: ba:09:2b:6e:f8:be, Dst: 4a:7f:01:3b:a2:71
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
Internet Control Message Protocol

If I want do filter on the source IP address of the overlay (10.0.0.1 in this example), I can base my search on the ethernet layer by adding the length of each header.

14 bytes to skip the underlay ethernet header
20 bytes to skip the underlay IP header
8 bytes to skip the UDP header
8 bytes to skip the VXLAN header
14 bytes to skip the overlay ethernet header
12 bytes to point to the IP source address in the overlay IP header

In other words, you need to look at position 76 (=14+20+8+8+14+12) for 4 bytes that contain the value 0x0a000001 (10.0.0.1 as a 32 bit integer in hex notation). This results in the filter ether[76:4] = 0x0a000001:

$ tcpdump -nnlr vxlan.pcap "ether[76:4]=0x0a000001"
reading from file vxlan.pcap, link-type EN10MB (Ethernet)
17:20:32.676047 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 1, length 64
17:20:33.677322 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 2, length 64
17:20:34.678483 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 3, length 64
17:20:35.680481 IP 192.168.56.11.48134 > 192.168.56.12.4789: VXLAN, flags [I] (0x08), vni 123
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 3389, seq 4, length 64
$

For the destination address, the offset in the overlay IP header is 16 instead of 12, so filtering for the IP address 10.0.0.1 within the overlay network would result in ether[76:4] = 0x0a000001 or ether[80:4] = 0x0a000001.

Hope this helps, if it does not work in your situation, please post a small ... (more)

edit flag offensive delete link

add a comment

answered 2019-07-17 18:30:11 +0000

Jaap

13730 ●684 ●115

You would have to look into the capabilities of pcap-filter to know what you can filter on. Even though it does handle Geneve packets, VXLAN handling is not in there. Therefore it can't find the protocols you try to filter on on the locations in the packet where it expects it. Filter keywords, like geneve [vni] would adjust for that. Unfortunately for VXLAN it can't.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Sniffing VXLAN traffic

2 Answers

Your Answer

Question Tools

Stats

Related questions

Sniffing VXLAN traffic edit

2 Answers

Your Answer

Question Tools

Stats

Related questions

Sniffing VXLAN traffic