Process the GRE payload
Carter Bullard
carter at qosient.com
Thu Apr 2 12:10:32 EDT 2015
Hey Ming,
I’ve modified your patch so that we deal with any occurence of
ETHERTYPE_TRANSPARENT_BRIDGE protocol packets, whether it comes
from GRE or whatever tunnels.
So the processing is done in ArgusProcessPacketHdrs() rather
than in ArgusProcessGreHdr(). If you can test this when I
put out the next version, that would be great !!!
Thanks again for your patch !!!!
Carter
> On Mar 31, 2015, at 1:52 PM, MING FU <fuming188 at yahoo.ca> wrote:
>
> Hi,
>
> I was using argus to monitor the L3 SPAN from VMWare. The VMWare sends the packet from its virtual LAN wrapped in GRE tunnel to the monitor port. The GRE Header type field is 0x6558. The GRE payload is the original packet from the virtual LAN start from the Ethernet header. The ArgusProcessGreHdr should return Ethernet for the tunnel payload to be recoganized as Ethernet.
>
> Here is a patch for this change:
>
> --- dist-plain/argus/ArgusModeler.c2011-02-25 18:36:33.000000000 +0000
> +++ dist-track/argus/ArgusModeler.c2015-03-31 17:25:12.000000000 +0000
> @@ -809,6 +809,8 @@
> #define GRE_RECRS 0x0700 /* recursion count */
> #define GRE_AP 0x0080 /* acknowledgment# present */
>
> +#define GRE_TRANSPARENT_ETHERNET_BRIDGING 0x6558 /* VMWare L3 SPAN */
> +
> int
> ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, int length)
> {
> @@ -897,6 +899,16 @@
> ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn);
> #endif
>
> + switch (retn) {
> + case GRE_TRANSPARENT_ETHERNET_BRIDGING:
> +#ifdef ARGUSDEBUG
> + ArgusDebug (8, "VMWare L3 SPAN GRE decap.\n");
> +#endif
> + retn = ARGUS_ETHER_HDR;
> + break;
> + default:
> + break;
> + }
> return (retn);
>
> }
>
> Regards,
> Ming
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150402/8fd6d37b/attachment.bin>
More information about the argus
mailing list