Process the GRE payload

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Sat Apr 11 17:42:18 EDT 2015 

this means that argus now can look inside the GRE tunnel and see what is 
inside ?
it does it by default with version 3.0.8.1 ?

thank you

Rick


On 11/04/15 23:30, Carter Bullard wrote:
> Hey Ming,
> The new argus-3.0.8.1 has your transparent tunnel GRE encapsulation
> support in it, so if you could give it a try, that would be great !!!!
>
> ftp://ftp.qosient.com/dev/argus-3.0/argus-3.0.8.1.tar.gz
> http://qosient.com/argus/dev/argus-3.0.8.1.tar.gz
>
> Carter
>
>> On Apr 2, 2015, at 12:54 PM, MING FU <fuming188 at yahoo.ca 
>> <mailto:fuming188 at yahoo.ca>> wrote:
>>
>> Hi Carter,
>>
>>
>> I sure will test it. Just point me to the new code.
>>
>> Thanks,
>> Ming
>>
>>
>> ----- Original Message -----
>> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
>> To: MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>>
>> Cc: Argus <argus-info at lists.andrew.cmu.edu 
>> <mailto:argus-info at lists.andrew.cmu.edu>>
>> Sent: Thursday, April 2, 2015 12:10 PM
>> Subject: Re: [ARGUS] Process the GRE payload
>>
>> Hey Ming,
>> I’ve modified your patch so that we deal with any occurence of
>> ETHERTYPE_TRANSPARENT_BRIDGE protocol packets, whether it comes
>> from GRE or whatever tunnels.
>>
>> So the processing is done in ArgusProcessPacketHdrs() rather
>> than in ArgusProcessGreHdr().  If you can test this when I
>> put out the next version, that would be great !!!
>>
>> Thanks again for your patch !!!!
>> Carter
>>
>>
>>> On Mar 31, 2015, at 1:52 PM, MING FU <fuming188 at yahoo.ca 
>>> <mailto:fuming188 at yahoo.ca>> wrote:
>>>
>>> Hi,
>>>
>>> I was using argus to monitor the L3 SPAN from VMWare. The VMWare 
>>> sends the packet from its virtual LAN wrapped in GRE tunnel to the 
>>> monitor port. The GRE Header type field is 0x6558. The GRE payload 
>>> is the original packet from the virtual LAN start from the Ethernet 
>>> header. The ArgusProcessGreHdr should return Ethernet for the tunnel 
>>> payload to be recoganized as Ethernet.
>>>
>>> Here is a patch for this change:
>>>
>>> --- dist-plain/argus/ArgusModeler.c2011-02-25 18:36:33.000000000 +0000
>>> +++ dist-track/argus/ArgusModeler.c2015-03-31 17:25:12.000000000 +0000
>>> @@ -809,6 +809,8 @@
>>> #define GRE_RECRS       0x0700          /* recursion count */
>>> #define GRE_AP          0x0080          /* acknowledgment# present */
>>>
>>> +#define GRE_TRANSPARENT_ETHERNET_BRIDGING       0x6558 /* VMWare L3 
>>> SPAN */
>>> +
>>> int
>>> ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, 
>>> int length)
>>> {
>>> @@ -897,6 +899,16 @@
>>>   ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", 
>>> model, ip, length, retn);
>>> #endif
>>>
>>> +   switch (retn) {
>>> +   case GRE_TRANSPARENT_ETHERNET_BRIDGING:
>>> +#ifdef ARGUSDEBUG
>>> +   ArgusDebug (8, "VMWare L3 SPAN GRE decap.\n");
>>> +#endif
>>> +        retn = ARGUS_ETHER_HDR;
>>> +        break;
>>> +   default:
>>> +       break;
>>> +   }
>>>   return (retn);
>>>
>>> }
>>>
>>> Regards,
>>> Ming
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150411/e1e656d5/attachment.html>

More information about the argus mailing list