how to look inside gre tunnels ?
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Wed Apr 15 12:34:10 EDT 2015
I don't know why but I see the same thingas usingg "proto gre"
actually I expect to see tcp traffic on port 587 since I have submission
mail servers there but I only can see gre.. this is weird
ra -r /var/log/argus/argus.out - encaps gre
StartTime Flgs Proto SrcAddr Sport
Dir DstAddr Dport TotPkts TotBytes State
18:02:28.753615 * gre 192.168.32.155 ->
192.168.32.141 7 1416 INT
18:02:43.048531 * gre 192.168.32.155 ->
192.168.32.141 1 384 REQ
18:02:51.480639 * gre 192.168.32.141 <->
192.168.32.152 2 192 CON
18:02:55.250461 * gre 192.168.32.155 ->
192.168.32.141 1 384 REQ
18:02:56.486193 * gre 192.168.32.141 <->
192.168.32.152 2 168 CON
18:03:08.237235 * gre 192.168.32.141 ->
192.168.32.151 1 96 INT
18:03:11.598985 * gre 192.168.32.155 ->
192.168.32.141 7 1416 REQ
18:03:13.244984 * gre 192.168.32.141 <->
192.168.32.151 2 168 CON
18:03:18.388452 * gre 192.168.32.155 ->
192.168.32.141 2 768 REQ
18:03:30.587969 * gre 192.168.32.141 <->
192.168.32.153 3 360 CON
On 15/04/15 18:30, Carter Bullard wrote:
> Hey Riccardo,
> Your filter is choosing to see only the GRE control traffic. These
> are the flows that have GRE as the outer layer protocol.
>
> You should run:
>
> ra -r /var/logargus/argus.out - encaps gre
>
> You will potentially see ipv4, ipv6, ethernet, icmp, udp and tcp
> traffic, since that is what could be in the tunnel.
> If you have any problems, don’t hesitate to send to the list.
>
> Our commercial sensors parse more tunnels and capture more tunnel
> info, if you are interested.
>
> Carter
>
>> On Apr 15, 2015, at 12:21 PM, Riccardo Veraldi
>> <Riccardo.Veraldi at cnaf.infn.it
>> <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>
>> Hello I am using argus to monitor teaffi on the OpenStack network node
>>
>> of course I can see the gre traffic between network node and
>> hypervisors, but hot to look what is passing insde the gre tunnel ?
>>
>> thank you!
>>
>> ra -r /var/log/argus/argus.out - proto gre
>>
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 18:02:28.753615 * gre 192.168.32.155 ->
>> 192.168.32.141 7 1416 INT
>> 18:02:43.048531 * gre 192.168.32.155 ->
>> 192.168.32.141 1 384 REQ
>> 18:02:51.480639 * gre 192.168.32.141 <->
>> 192.168.32.152 2 192 CON
>> 18:02:55.250461 * gre 192.168.32.155 ->
>> 192.168.32.141 1 384 REQ
>> 18:02:56.486193 * gre 192.168.32.141 <->
>> 192.168.32.152 2 168 CON
>> 18:03:08.237235 * gre 192.168.32.141 ->
>> 192.168.32.151 1 96 INT
>> 18:03:11.598985 * gre 192.168.32.155 ->
>> 192.168.32.141 7 1416 REQ
>> 18:03:13.244984 * gre 192.168.32.141 <->
>> 192.168.32.151 2 168 CON
>> 18:03:18.388452 * gre 192.168.32.155 ->
>> 192.168.32.141 2 768 REQ
>> 18:03:30.587969 * gre 192.168.32.141 <->
>> 192.168.32.153 3 360 CON
>> 18:03:35.596982 * gre 192.168.32.141 <->
>> 192.168.32.153 2 168 CON
>> 18:03:36.072892 * gre 192.168.32.155 ->
>> 192.168.32.141 1 384 REQ
>> 18:03:51.887398 * gre 192.168.32.141 <->
>> 192.168.32.153 5734 6351860 CON
>> 18:03:55.790966 * gre 192.168.32.152 <->
>> 192.168.32.141 2 264 CON
>> 18:03:55.898084 * gre 192.168.32.155 ->
>> 192.168.32.141 6 1284 REQ
>> 18:04:00.806343 * gre 192.168.32.152 <->
>> 192.168.32.141 2 168 CON
>> 18:04:00.806804 * gre 192.168.32.141 <->
>> 192.168.32.153 5056 6196176 CON
>> 18:04:01.022460 * gre 192.168.32.155 ->
>> 192.168.32.141 2 516 REQ
>> 18:04:05.820967 * gre 192.168.32.141 <->
>> 192.168.32.153 8 930 CON
>> 18:04:09.979538 * gre 192.168.32.155 ->
>> 192.168.32.141 1 384 REQ
>> 18:04:18.295011 * gre 192.168.32.155 ->
>> 192.168.32.141 1 384 REQ
>> 18:04:18.792758 * gre 192.168.32.152 <->
>> 192.168.32.141 2 264 CON
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150415/d87efab3/attachment.html>
More information about the argus
mailing list