how to look inside gre tunnels ?

Carter Bullard carter at qosient.com
Wed Apr 15 12:30:05 EDT 2015 

Hey Riccardo,
Your filter is choosing to see only the GRE control traffic.  These are the flows that have GRE as the outer layer protocol.

You should run:

   ra -r /var/logargus/argus.out - encaps gre

You will potentially see ipv4, ipv6, ethernet, icmp, udp and tcp traffic, since that is what could be in the tunnel.
If you have any problems, don’t hesitate to send to the list.

Our commercial sensors parse more tunnels and capture more tunnel info, if you are interested.

Carter
 

> On Apr 15, 2015, at 12:21 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
> 
> Hello I am using argus to monitor teaffi on the OpenStack network node
> 
> of course I can see the gre traffic between network node and hypervisors, but hot to look what is passing insde the gre tunnel ?
> 
> thank you!
> 
> ra -r /var/log/argus/argus.out  - proto gre
> 
>         StartTime      Flgs  Proto            SrcAddr  Sport Dir            DstAddr  Dport  TotPkts   TotBytes State
>   18:02:28.753615  *           gre     192.168.32.155 ->     192.168.32.141               7       1416   INT
>   18:02:43.048531  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>   18:02:51.480639  *           gre     192.168.32.141 <->     192.168.32.152               2        192   CON
>   18:02:55.250461  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>   18:02:56.486193  *           gre     192.168.32.141 <->     192.168.32.152               2        168   CON
>   18:03:08.237235  *           gre     192.168.32.141 ->     192.168.32.151               1         96   INT
>   18:03:11.598985  *           gre     192.168.32.155 ->     192.168.32.141               7       1416   REQ
>   18:03:13.244984  *           gre     192.168.32.141 <->     192.168.32.151               2        168   CON
>   18:03:18.388452  *           gre     192.168.32.155 ->     192.168.32.141               2        768   REQ
>   18:03:30.587969  *           gre     192.168.32.141 <->     192.168.32.153               3        360   CON
>   18:03:35.596982  *           gre     192.168.32.141 <->     192.168.32.153               2        168   CON
>   18:03:36.072892  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>   18:03:51.887398  *           gre     192.168.32.141 <->     192.168.32.153            5734    6351860   CON
>   18:03:55.790966  *           gre     192.168.32.152 <->     192.168.32.141               2        264   CON
>   18:03:55.898084  *           gre     192.168.32.155 ->     192.168.32.141               6       1284   REQ
>   18:04:00.806343  *           gre     192.168.32.152 <->     192.168.32.141               2        168   CON
>   18:04:00.806804  *           gre     192.168.32.141 <->     192.168.32.153            5056    6196176   CON
>   18:04:01.022460  *           gre     192.168.32.155 ->     192.168.32.141               2        516   REQ
>   18:04:05.820967  *           gre     192.168.32.141 <->     192.168.32.153               8        930   CON
>   18:04:09.979538  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>   18:04:18.295011  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>   18:04:18.792758  *           gre     192.168.32.152 <->     192.168.32.141               2        264   CON
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150415/422611df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150415/422611df/attachment.bin>

More information about the argus mailing list