Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Sniffing VXLAN traffic

Hi,

I'm trying to use tcpdump, wireshark and tshark for sniffing traffic on a computer that the traffic that arrives at its sniffing interface is encapsulated using VXLAN technology.

When I use tcpdump, I see this:

$ sudo tcpdump -nvi ens6
13:23:01.393991 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 134)
    172.31.81.89.65513 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x0, ttl 64, id 56020, offset 0, flags [DF], proto ICMP (1), length 84)
    172.31.81.89 > 8.8.8.8: ICMP echo request, id 12900, seq 6673, length 64
13:23:01.394458 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 134)
    172.31.81.89.65513 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x0, ttl 48, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 172.31.81.89: ICMP echo reply, id 12900, seq 6673, length 64
13:23:01.394626 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 202)
    172.31.81.89.65422 > 172.31.82.247.4789: VXLAN, flags [I] (0x08), vni 3517757
IP (tos 0x10, ttl 64, id 26689, offset 0, flags [DF], proto TCP (6), length 152)

and if I try to run the same command with a filter like "icmp" like this $ sudo tcpdump -nvi ens6 icmp

I get no packets at all.

When I try to capture with Wireshark/tshark I get similar results: When I don't use any filter I get the packets (unfiltered of-course), When I use a BPF filter I get no packets at all but if I use a display filter I get the relevant packets like so:

$ sudo tshark -i ens6 -Y icmp
Capturing on 'ens6'
    1 0.000000000 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7129/55579, ttl=64
    2 0.000452969      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7129/55579, ttl=48 (request in 1)
    5 1.024059193 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7130/55835, ttl=64
    6 1.024461234      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7130/55835, ttl=48 (request in 5)
    9 2.048086984 172.31.81.89 → 8.8.8.8      ICMP 148 Echo (ping) request  id=0x3264, seq=7131/56091, ttl=64
   10 2.048495747      8.8.8.8 → 172.31.81.89 ICMP 148 Echo (ping) reply    id=0x3264, seq=7131/56091, ttl=48 (request in 9)
^C6 packets captured

Do you know of a way to get the filtered traffic even when using the BPF filter? I know that using the display filter is considered memory intensive operation...

T.I.A, Yuval.