Process the GRE payload

Carter Bullard carter at qosient.com
Sat Apr 11 23:55:33 EDT 2015


Hey Rick,
As always, if there is an encapsulation or DLT type that argus doesn’t do,
just send specifics to the list and we’ll add it.
Carter
 

> On Apr 11, 2015, at 10:10 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
> 
> thank you for your explanantion.
> I am planning to use argus for OpenStack network node traffic analysis.
> VXLAN parsing is also supported ?
> thank you
> 
> Rick
> 
> 
> On 12/04/15 01:21, Carter Bullard wrote:
>> Hey Rick,
>> Argus parses through GRE tunnels by default, but that is not new.
>> We’ve treated GRE tunnels as just sub-IP encapsulations since argus-2.1.
>> 
>> In this release, we’re are parsing when Vmware using GRE tunnels for
>> packet capture, which use the ETHERNET_TRANSPARENT_BRIDGE
>> encapsulation in the tunnel.
>> 
>> This enables argus to read packets from the Vmware Hypervisor when
>> it uses this mode.
>> 
>> Carter
>> 
>> 
>>  
>> 
>>> On Apr 11, 2015, at 5:42 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>> 
>>> this means that argus now can look inside the GRE tunnel and see what is inside ?
>>> it does it by default with version 3.0.8.1 ?
>>> 
>>> thank you
>>> 
>>> Rick
>>> 
>>> 
>>> On 11/04/15 23:30, Carter Bullard wrote:
>>>> Hey Ming,
>>>> The new argus-3.0.8.1 has your transparent tunnel GRE encapsulation
>>>> support in it, so if you could give it a try, that would be great !!!!  
>>>> 
>>>>    ftp://ftp.qosient.com/dev/argus-3.0/argus-3.0.8.1.tar.gz <ftp://ftp.qosient.com/dev/argus-3.0/argus-3.0.8.1.tar.gz>
>>>>    http://qosient.com/argus/dev/argus-3.0.8.1.tar.gz <http://qosient.com/argus/dev/argus-3.0.8.1.tar.gz>
>>>> 
>>>> Carter   
>>>> 
>>>>> On Apr 2, 2015, at 12:54 PM, MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>> wrote:
>>>>> 
>>>>> Hi Carter,
>>>>> 
>>>>> 
>>>>> I sure will test it. Just point me to the new code. 
>>>>> 
>>>>> Thanks,
>>>>> Ming
>>>>> 
>>>>> 
>>>>> ----- Original Message -----
>>>>> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
>>>>> To: MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>>
>>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>>
>>>>> Sent: Thursday, April 2, 2015 12:10 PM
>>>>> Subject: Re: [ARGUS] Process the GRE payload
>>>>> 
>>>>> Hey Ming,
>>>>> I’ve modified your patch so that we deal with any occurence of
>>>>> ETHERTYPE_TRANSPARENT_BRIDGE protocol packets, whether it comes
>>>>> from GRE or whatever tunnels.
>>>>> 
>>>>> So the processing is done in ArgusProcessPacketHdrs() rather
>>>>> than in ArgusProcessGreHdr().  If you can test this when I
>>>>> put out the next version, that would be great !!!
>>>>> 
>>>>> Thanks again for your patch !!!!
>>>>> Carter
>>>>> 
>>>>> 
>>>>>> On Mar 31, 2015, at 1:52 PM, MING FU <fuming188 at yahoo.ca <mailto:fuming188 at yahoo.ca>> wrote:
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> I was using argus to monitor the L3 SPAN from VMWare. The VMWare sends the packet from its virtual LAN wrapped in GRE tunnel to the monitor port. The GRE Header type field is 0x6558. The GRE payload is the original packet from the virtual LAN start from the Ethernet header. The ArgusProcessGreHdr should return Ethernet for the tunnel payload to be recoganized as Ethernet.
>>>>>> 
>>>>>> Here is a patch for this change:
>>>>>> 
>>>>>> --- dist-plain/argus/ArgusModeler.c2011-02-25 18:36:33.000000000 +0000
>>>>>> +++ dist-track/argus/ArgusModeler.c2015-03-31 17:25:12.000000000 +0000
>>>>>> @@ -809,6 +809,8 @@
>>>>>> #define GRE_RECRS       0x0700          /* recursion count */
>>>>>> #define GRE_AP          0x0080          /* acknowledgment# present */
>>>>>> 
>>>>>> +#define GRE_TRANSPARENT_ETHERNET_BRIDGING       0x6558 /* VMWare L3 SPAN */
>>>>>> +
>>>>>> int
>>>>>> ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, int length)
>>>>>> {
>>>>>> @@ -897,6 +899,16 @@
>>>>>>   ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn);
>>>>>> #endif 
>>>>>> 
>>>>>> +   switch (retn) {
>>>>>> +   case GRE_TRANSPARENT_ETHERNET_BRIDGING:
>>>>>> +#ifdef ARGUSDEBUG
>>>>>> +   ArgusDebug (8, "VMWare L3 SPAN GRE decap.\n");
>>>>>> +#endif 
>>>>>> +        retn = ARGUS_ETHER_HDR;
>>>>>> +        break;
>>>>>> +   default:
>>>>>> +       break;
>>>>>> +   }
>>>>>>   return (retn);
>>>>>> 
>>>>>> }
>>>>>> 
>>>>>> Regards,
>>>>>> Ming
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150411/3c20e471/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150411/3c20e471/attachment.bin>


More information about the argus mailing list