Process the GRE payload

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Sat Apr 11 22:10:16 EDT 2015 

thank you for your explanantion.
I am planning to use argus for OpenStack network node traffic analysis.
VXLAN parsing is also supported ?
thank you

Rick


On 12/04/15 01:21, Carter Bullard wrote:
> Hey Rick,
> Argus parses through GRE tunnels by default, but that is not new.
> We’ve treated GRE tunnels as just sub-IP encapsulations since argus-2.1.
>
> In this release, we’re are parsing when Vmware using GRE tunnels for
> packet capture, which use the ETHERNET_TRANSPARENT_BRIDGE
> encapsulation in the tunnel.
>
> This enables argus to read packets from the Vmware Hypervisor when
> it uses this mode.
>
> Carter
>
>
>
>> On Apr 11, 2015, at 5:42 PM, Riccardo Veraldi 
>> <Riccardo.Veraldi at cnaf.infn.it 
>> <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>
>> this means that argus now can look inside the GRE tunnel and see what 
>> is inside ?
>> it does it by default with version 3.0.8.1 ?
>>
>> thank you
>>
>> Rick
>>
>>
>> On 11/04/15 23:30, Carter Bullard wrote:
>>> Hey Ming,
>>> The new argus-3.0.8.1 has your transparent tunnel GRE encapsulation
>>> support in it, so if you could give it a try, that would be great !!!!
>>>
>>> ftp://ftp.qosient.com/dev/argus-3.0/argus-3.0.8.1.tar.gz
>>> http://qosient.com/argus/dev/argus-3.0.8.1.tar.gz
>>>
>>> Carter
>>>
>>>> On Apr 2, 2015, at 12:54 PM, MING FU <fuming188 at yahoo.ca 
>>>> <mailto:fuming188 at yahoo.ca>> wrote:
>>>>
>>>> Hi Carter,
>>>>
>>>>
>>>> I sure will test it. Just point me to the new code.
>>>>
>>>> Thanks,
>>>> Ming
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
>>>> To: MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>>
>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu 
>>>> <mailto:argus-info at lists.andrew.cmu.edu>>
>>>> Sent: Thursday, April 2, 2015 12:10 PM
>>>> Subject: Re: [ARGUS] Process the GRE payload
>>>>
>>>> Hey Ming,
>>>> I’ve modified your patch so that we deal with any occurence of
>>>> ETHERTYPE_TRANSPARENT_BRIDGE protocol packets, whether it comes
>>>> from GRE or whatever tunnels.
>>>>
>>>> So the processing is done in ArgusProcessPacketHdrs() rather
>>>> than in ArgusProcessGreHdr().  If you can test this when I
>>>> put out the next version, that would be great !!!
>>>>
>>>> Thanks again for your patch !!!!
>>>> Carter
>>>>
>>>>
>>>>> On Mar 31, 2015, at 1:52 PM, MING FU <fuming188 at yahoo.ca 
>>>>> <mailto:fuming188 at yahoo.ca>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I was using argus to monitor the L3 SPAN from VMWare. The VMWare 
>>>>> sends the packet from its virtual LAN wrapped in GRE tunnel to the 
>>>>> monitor port. The GRE Header type field is 0x6558. The GRE payload 
>>>>> is the original packet from the virtual LAN start from the 
>>>>> Ethernet header. The ArgusProcessGreHdr should return Ethernet for 
>>>>> the tunnel payload to be recoganized as Ethernet.
>>>>>
>>>>> Here is a patch for this change:
>>>>>
>>>>> --- dist-plain/argus/ArgusModeler.c2011-02-25 18:36:33.000000000 +0000
>>>>> +++ dist-track/argus/ArgusModeler.c2015-03-31 17:25:12.000000000 +0000
>>>>> @@ -809,6 +809,8 @@
>>>>> #define GRE_RECRS       0x0700          /* recursion count */
>>>>> #define GRE_AP          0x0080          /* acknowledgment# present */
>>>>>
>>>>> +#define GRE_TRANSPARENT_ETHERNET_BRIDGING       0x6558 /* VMWare 
>>>>> L3 SPAN */
>>>>> +
>>>>> int
>>>>> ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip 
>>>>> *ip, int length)
>>>>> {
>>>>> @@ -897,6 +899,16 @@
>>>>>   ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 
>>>>> 0x%x\n", model, ip, length, retn);
>>>>> #endif
>>>>>
>>>>> +   switch (retn) {
>>>>> +   case GRE_TRANSPARENT_ETHERNET_BRIDGING:
>>>>> +#ifdef ARGUSDEBUG
>>>>> +   ArgusDebug (8, "VMWare L3 SPAN GRE decap.\n");
>>>>> +#endif
>>>>> +        retn = ARGUS_ETHER_HDR;
>>>>> +        break;
>>>>> +   default:
>>>>> +       break;
>>>>> +   }
>>>>>   return (retn);
>>>>>
>>>>> }
>>>>>
>>>>> Regards,
>>>>> Ming
>>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150412/59367ff3/attachment.html>

More information about the argus mailing list