how to look inside gre tunnels ?

Carter Bullard carter at qosient.com
Wed Apr 15 12:37:22 EDT 2015


Are you capturing enough packet bytes to parse the GRE ??  What is your snaplen.
What version of argus are you using ??   If your GRE is using transparent bridging,
you’ll need argus-3.0.8.1

If none of that is helpful, capture some packets and send them to me, and take a look.

Carter
 

> On Apr 15, 2015, at 12:34 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
> 
> I don't know why but I see the same thingas usingg "proto gre"
> 
> actually I expect to see tcp traffic on port 587 since I have submission mail servers there but I only can see gre.. this is weird
> 
> ra -r /var/log/argus/argus.out  - encaps gre 
> 
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    18:02:28.753615  *           gre     192.168.32.155           ->     192.168.32.141               7       1416   INT
>    18:02:43.048531  *           gre     192.168.32.155           ->     192.168.32.141               1        384   REQ
>    18:02:51.480639  *           gre     192.168.32.141          <->     192.168.32.152               2        192   CON
>    18:02:55.250461  *           gre     192.168.32.155           ->     192.168.32.141               1        384   REQ
>    18:02:56.486193  *           gre     192.168.32.141          <->     192.168.32.152               2        168   CON
>    18:03:08.237235  *           gre     192.168.32.141           ->     192.168.32.151               1         96   INT
>    18:03:11.598985  *           gre     192.168.32.155           ->     192.168.32.141               7       1416   REQ
>    18:03:13.244984  *           gre     192.168.32.141          <->     192.168.32.151               2        168   CON
>    18:03:18.388452  *           gre     192.168.32.155           ->     192.168.32.141               2        768   REQ
>    18:03:30.587969  *           gre     192.168.32.141          <->     192.168.32.153               3        360   CON
> 
> 
> 
> On 15/04/15 18:30, Carter Bullard wrote:
>> Hey Riccardo,
>> Your filter is choosing to see only the GRE control traffic.  These are the flows that have GRE as the outer layer protocol.
>> 
>> You should run:
>> 
>>    ra -r /var/logargus/argus.out - encaps gre
>> 
>> You will potentially see ipv4, ipv6, ethernet, icmp, udp and tcp traffic, since that is what could be in the tunnel.
>> If you have any problems, don’t hesitate to send to the list.
>> 
>> Our commercial sensors parse more tunnels and capture more tunnel info, if you are interested.
>> 
>> Carter
>>  
>> 
>>> On Apr 15, 2015, at 12:21 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>> 
>>> Hello I am using argus to monitor teaffi on the OpenStack network node
>>> 
>>> of course I can see the gre traffic between network node and hypervisors, but hot to look what is passing insde the gre tunnel ?
>>> 
>>> thank you!
>>> 
>>> ra -r /var/log/argus/argus.out  - proto gre
>>> 
>>>         StartTime      Flgs  Proto            SrcAddr  Sport Dir            DstAddr  Dport  TotPkts   TotBytes State
>>>   18:02:28.753615  *           gre     192.168.32.155 ->     192.168.32.141               7       1416   INT
>>>   18:02:43.048531  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>>>   18:02:51.480639  *           gre     192.168.32.141 <->     192.168.32.152               2        192   CON
>>>   18:02:55.250461  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>>>   18:02:56.486193  *           gre     192.168.32.141 <->     192.168.32.152               2        168   CON
>>>   18:03:08.237235  *           gre     192.168.32.141 ->     192.168.32.151               1         96   INT
>>>   18:03:11.598985  *           gre     192.168.32.155 ->     192.168.32.141               7       1416   REQ
>>>   18:03:13.244984  *           gre     192.168.32.141 <->     192.168.32.151               2        168   CON
>>>   18:03:18.388452  *           gre     192.168.32.155 ->     192.168.32.141               2        768   REQ
>>>   18:03:30.587969  *           gre     192.168.32.141 <->     192.168.32.153               3        360   CON
>>>   18:03:35.596982  *           gre     192.168.32.141 <->     192.168.32.153               2        168   CON
>>>   18:03:36.072892  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>>>   18:03:51.887398  *           gre     192.168.32.141 <->     192.168.32.153            5734    6351860   CON
>>>   18:03:55.790966  *           gre     192.168.32.152 <->     192.168.32.141               2        264   CON
>>>   18:03:55.898084  *           gre     192.168.32.155 ->     192.168.32.141               6       1284   REQ
>>>   18:04:00.806343  *           gre     192.168.32.152 <->     192.168.32.141               2        168   CON
>>>   18:04:00.806804  *           gre     192.168.32.141 <->     192.168.32.153            5056    6196176   CON
>>>   18:04:01.022460  *           gre     192.168.32.155 ->     192.168.32.141               2        516   REQ
>>>   18:04:05.820967  *           gre     192.168.32.141 <->     192.168.32.153               8        930   CON
>>>   18:04:09.979538  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>>>   18:04:18.295011  *           gre     192.168.32.155 ->     192.168.32.141               1        384   REQ
>>>   18:04:18.792758  *           gre     192.168.32.152 <->     192.168.32.141               2        264   CON
>>> 
>>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150415/ddf20091/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150415/ddf20091/attachment.bin>


More information about the argus mailing list