Process the GRE payload
MING FU
fuming188 at yahoo.ca
Tue Mar 31 13:52:22 EDT 2015
Hi,
I was using argus to monitor the L3 SPAN from VMWare. The VMWare sends the packet from its virtual LAN wrapped in GRE tunnel to the monitor port. The GRE Header type field is 0x6558. The GRE payload is the original packet from the virtual LAN start from the Ethernet header. The ArgusProcessGreHdr should return Ethernet for the tunnel payload to be recoganized as Ethernet.
Here is a patch for this change:
--- dist-plain/argus/ArgusModeler.c2011-02-25 18:36:33.000000000 +0000
+++ dist-track/argus/ArgusModeler.c2015-03-31 17:25:12.000000000 +0000
@@ -809,6 +809,8 @@
#define GRE_RECRS 0x0700 /* recursion count */
#define GRE_AP 0x0080 /* acknowledgment# present */
+#define GRE_TRANSPARENT_ETHERNET_BRIDGING 0x6558 /* VMWare L3 SPAN */
+
int
ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, int length)
{
@@ -897,6 +899,16 @@
ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn);
#endif
+ switch (retn) {
+ case GRE_TRANSPARENT_ETHERNET_BRIDGING:
+#ifdef ARGUSDEBUG
+ ArgusDebug (8, "VMWare L3 SPAN GRE decap.\n");
+#endif
+ retn = ARGUS_ETHER_HDR;
+ break;
+ default:
+ break;
+ }
return (retn);
}
Regards,
Ming
More information about the argus
mailing list