how to look inside gre tunnels ?
Carter Bullard
carter at qosient.com
Thu Apr 16 19:16:56 EDT 2015
Hey Riccardo,
I’ve found the problem with ARP parsing within the GRE tunnel and have fixed it.
I’ll upload the new argus-3.0.8.1 distribution later tonight.
Hopefully your GRE parsing is working for you now.
Sorry for any inconvenience,
Carter
> On Apr 16, 2015, at 8:27 AM, Carter Bullard <carter at qosient.com> wrote:
>
> Hey Riccardo,
> Everything looks fine with this file, except that argus does not report the ARP flows that are in the GRE tunnel, an we don’t know the type code for icmp-v6 multicast listener v2 (we report it as UNK). I’ll fix that today, so Thanks for the file.
>
> Compare: tcpdump -nr ens224.pcap
> With: argus -r ens224.pcap -w - | ra
>
> Timestamps all agree, and all the protocols are there, flows are sessionized, and the encaps filters all work.
>
> Simple compare the first 6 packets:
> tcpdump -nr ens224.pcap -c 6
>
> With the first 3 argus records:
> argus -r ens224.pcap -w - | ra -N 3
>
> And you will see that argus is generating appropriate flow records. Do you see that its working ???
> Let me fix the ARP inside GRE issue, and I’ll regenerate a new distribution.
>
> Carter
> <http://qosient.com/>
> Carter Bullard <mailto:carter at qosient.com>• CTO
> 150 E 57th Street, Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>
>
>
>> On Apr 16, 2015, at 3:23 AM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>
>> dear Carter,
>> capturing with tcpdump I Can see what is inside the gre tunnel.
>> I attach you the pcap file and there is the submission mail session I expected to see
>>
>> this is the configuration for interfaces in argus.conf
>>
>> ARGUS_INTERFACE=ind:ens224/"ens224",ens256/"ens256"
>>
>>
>> acrually ens224 is the interface holding the gre traffic but I also was interested in traffic on inerface ens256
>>
>> do you think that monitoring 2 interfaces can mess up things ?
>>
>> thank you
>>
>> Rick
>>
>>
>> On 16/04/15 06:18, Carter Bullard wrote:
>>> Riccardo,
>>> Could you send me a pcap file of some packets from your GRE tunnel ???
>>> Carter
>>>
>>> <http://qosient.com/>
>>> Carter Bullard <mailto:carter at qosient.com%20>• CTO
>>> 150 E 57th Street, Suite 12D
>>> New York, New York 10022-2795
>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>
>>>
>>>
>>>> On Apr 15, 2015, at 2:16 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>>>
>>>> Yes I send by email ,just that sometimes people does not like to have attachments,
>>>> so I was thinking was not a bad idea to use my own dropbox like service.
>>>> Here is the file
>>>> thank you for now, really!
>>>>
>>>> Rick
>>>>
>>>>
>>>>
>>>> On 15/04/15 19:37, Carter Bullard wrote:
>>>>> You can just send it in email, or upload it to ftp://qosient.com/incoming <ftp://qosient.com/incoming>
>>>>> Carter
>>>>>
>>>>> <http://qosient.com/>
>>>>> Carter Bullard <mailto:carter at qosient.com%20>• CTO
>>>>> 150 E 57th Street, Suite 12D
>>>>> New York, New York 10022-2795
>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>
>>>>>
>>>>>
>>>>>> On Apr 15, 2015, at 1:06 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>>>>>
>>>>>>
>>>>>> here is the argus.out file
>>>>>>
>>>>>> thank you !
>>>>>>
>>>>>> https://pandora.infn.it/data/public/07b597.php <https://pandora.infn.it/data/public/07b597.php>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 15/04/15 18:49, Carter Bullard wrote:
>>>>>>> You can send me a few packets and I’ll take a look. 20-30 would be enough.
>>>>>>> Carter
>>>>>>>
>>>>>>>> On Apr 15, 2015, at 12:46 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>>>>>>>
>>>>>>>> On 15/04/15 18:37, Carter Bullard wrote:
>>>>>>>>> Are you capturing enough packet bytes to parse the GRE ?? What is your snaplen.
>>>>>>>>> What version of argus are you using ?? If your GRE is using transparent bridging,
>>>>>>>>> you’ll need argus-3.0.8.1
>>>>>>>>
>>>>>>>> I am using the argus default, I am using argus 3.0.8.1
>>>>>>>> the bridges and gre tunnels are defined inside open virtual switch on CentOS.
>>>>>>>>
>>>>>>>> actually i increased the SNAPLEN with argus -s option but i did not notice any difference.
>>>>>>>>
>>>>>>>> should i try with 3.0.8.1 ?
>>>>>>>>
>>>>>>>> thank you
>>>>>>>>
>>>>>>>> Rick
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> If none of that is helpful, capture some packets and send them to me, and take a look.
>>>>>>>>>
>>>>>>>>> Carter
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Apr 15, 2015, at 12:34 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>>>>>>>>>
>>>>>>>>>> I don't know why but I see the same thingas usingg "proto gre"
>>>>>>>>>>
>>>>>>>>>> actually I expect to see tcp traffic on port 587 since I have submission mail servers there but I only can see gre.. this is weird
>>>>>>>>>>
>>>>>>>>>> ra -r /var/log/argus/argus.out - encaps gre
>>>>>>>>>>
>>>>>>>>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>>>>>>>>>> 18:02:28.753615 * gre 192.168.32.155 -> 192.168.32.141 7 1416 INT
>>>>>>>>>> 18:02:43.048531 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>> 18:02:51.480639 * gre 192.168.32.141 <-> 192.168.32.152 2 192 CON
>>>>>>>>>> 18:02:55.250461 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>> 18:02:56.486193 * gre 192.168.32.141 <-> 192.168.32.152 2 168 CON
>>>>>>>>>> 18:03:08.237235 * gre 192.168.32.141 -> 192.168.32.151 1 96 INT
>>>>>>>>>> 18:03:11.598985 * gre 192.168.32.155 -> 192.168.32.141 7 1416 REQ
>>>>>>>>>> 18:03:13.244984 * gre 192.168.32.141 <-> 192.168.32.151 2 168 CON
>>>>>>>>>> 18:03:18.388452 * gre 192.168.32.155 -> 192.168.32.141 2 768 REQ
>>>>>>>>>> 18:03:30.587969 * gre 192.168.32.141 <-> 192.168.32.153 3 360 CON
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 15/04/15 18:30, Carter Bullard wrote:
>>>>>>>>>>> Hey Riccardo,
>>>>>>>>>>> Your filter is choosing to see only the GRE control traffic. These are the flows that have GRE as the outer layer protocol.
>>>>>>>>>>>
>>>>>>>>>>> You should run:
>>>>>>>>>>>
>>>>>>>>>>> ra -r /var/logargus/argus.out - encaps gre
>>>>>>>>>>>
>>>>>>>>>>> You will potentially see ipv4, ipv6, ethernet, icmp, udp and tcp traffic, since that is what could be in the tunnel.
>>>>>>>>>>> If you have any problems, don’t hesitate to send to the list.
>>>>>>>>>>>
>>>>>>>>>>> Our commercial sensors parse more tunnels and capture more tunnel info, if you are interested.
>>>>>>>>>>>
>>>>>>>>>>> Carter
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On Apr 15, 2015, at 12:21 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it <mailto:Riccardo.Veraldi at cnaf.infn.it>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hello I am using argus to monitor teaffi on the OpenStack network node
>>>>>>>>>>>>
>>>>>>>>>>>> of course I can see the gre traffic between network node and hypervisors, but hot to look what is passing insde the gre tunnel ?
>>>>>>>>>>>>
>>>>>>>>>>>> thank you!
>>>>>>>>>>>>
>>>>>>>>>>>> ra -r /var/log/argus/argus.out - proto gre
>>>>>>>>>>>>
>>>>>>>>>>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>>>>>>>>>>>> 18:02:28.753615 * gre 192.168.32.155 -> 192.168.32.141 7 1416 INT
>>>>>>>>>>>> 18:02:43.048531 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>>>> 18:02:51.480639 * gre 192.168.32.141 <-> 192.168.32.152 2 192 CON
>>>>>>>>>>>> 18:02:55.250461 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>>>> 18:02:56.486193 * gre 192.168.32.141 <-> 192.168.32.152 2 168 CON
>>>>>>>>>>>> 18:03:08.237235 * gre 192.168.32.141 -> 192.168.32.151 1 96 INT
>>>>>>>>>>>> 18:03:11.598985 * gre 192.168.32.155 -> 192.168.32.141 7 1416 REQ
>>>>>>>>>>>> 18:03:13.244984 * gre 192.168.32.141 <-> 192.168.32.151 2 168 CON
>>>>>>>>>>>> 18:03:18.388452 * gre 192.168.32.155 -> 192.168.32.141 2 768 REQ
>>>>>>>>>>>> 18:03:30.587969 * gre 192.168.32.141 <-> 192.168.32.153 3 360 CON
>>>>>>>>>>>> 18:03:35.596982 * gre 192.168.32.141 <-> 192.168.32.153 2 168 CON
>>>>>>>>>>>> 18:03:36.072892 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>>>> 18:03:51.887398 * gre 192.168.32.141 <-> 192.168.32.153 5734 6351860 CON
>>>>>>>>>>>> 18:03:55.790966 * gre 192.168.32.152 <-> 192.168.32.141 2 264 CON
>>>>>>>>>>>> 18:03:55.898084 * gre 192.168.32.155 -> 192.168.32.141 6 1284 REQ
>>>>>>>>>>>> 18:04:00.806343 * gre 192.168.32.152 <-> 192.168.32.141 2 168 CON
>>>>>>>>>>>> 18:04:00.806804 * gre 192.168.32.141 <-> 192.168.32.153 5056 6196176 CON
>>>>>>>>>>>> 18:04:01.022460 * gre 192.168.32.155 -> 192.168.32.141 2 516 REQ
>>>>>>>>>>>> 18:04:05.820967 * gre 192.168.32.141 <-> 192.168.32.153 8 930 CON
>>>>>>>>>>>> 18:04:09.979538 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>>>> 18:04:18.295011 * gre 192.168.32.155 -> 192.168.32.141 1 384 REQ
>>>>>>>>>>>> 18:04:18.792758 * gre 192.168.32.152 <-> 192.168.32.141 2 264 CON
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> <argus.out>
>>>
>>
>> <ens224.pcap>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150416/fc877e0a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150416/fc877e0a/attachment.bin>
More information about the argus
mailing list