Vxlan Tcpdump: различия между версиями
Sirmax (обсуждение | вклад) (Новая страница: «=Using TCPDUMP on TPVM to capture VXLAN Traffic= Это краткая копия статьи https://extreme-networks.my.site.com/ExtrArticleDetail?an=00012048...») |
Sirmax (обсуждение | вклад) |
||
| Строка 1: | Строка 1: | ||
| + | [[Категория:VxLAN]] |
||
=Using TCPDUMP on TPVM to capture VXLAN Traffic= |
=Using TCPDUMP on TPVM to capture VXLAN Traffic= |
||
Это краткая копия статьи |
Это краткая копия статьи |
||
Версия 09:24, 8 октября 2024
Using TCPDUMP on TPVM to capture VXLAN Traffic
Это краткая копия статьи
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000120489
To inspect our VXLAN traffic we will take advantage of "byte offset" filters in TCPDUMP
We will tell TCPDUMP to scan specific bytes in the packet and match on the content found therein
It can be difficult to know exactly the position of the bytes we are looking for, however, we will cover some tips for crafting the correct byte offset to meet your needs
Filter for all VXLAN traffic:
sudo tcpdump -veni eth1 -T vxlan
This will show all VXLAN traffic, however on a busy network the output may be overwhelming
Filter for a specific VNI:
sudo tcpdump -veni eth1 -T vxlan udp[11:4] = 3101
Here we tell TCPDUMP to inspect the UDP header, skipping to the 11th byte and looking at the next 4 bytes matching on 3101 3101 is the decimal value of the VNI we are looking for
Filter for Source/Destination IP on Inner IP header
sudo tcpdump -veni eth1 -T vxlan ether[76:4] = 0xc0a8d30b
Here we tell TCPDUMP to jump to the 76th byte of the packet and look at the next 4 bytes to match on the IP address > HEX value of 0xc0a8d30b
sudo tcpdump -veni eth1 -T vxlan ether[80:4] = 0xc0a8d30b
Immediately after the Source IP, the Destination IP is listed in the packet, so we again skip over the fist 76 bytes, and the 4 bytes of the Source IP, arriving at byte 80 where the next 4 bytes contain the Destination IP. IP Address > HEX:
192 168 211 11 c0 a8 d3 0b
Filter for ICMP Traffic
sudo tcpdump -veni eth1 -T vxlan ether[73:1] = 0x01
Lastly to filter for only ICMP traffic we can look at the single byte indicating the ICMP Protocol using the offset 73:1 This is based on a 64byte ping, larger pings will shift the location of the protocol value
Combining Offsets
These offsets can be combined using logical arguments like: and, or, not
sudo tcpdump -veni eth1 -T vxlan \(\(ether[80:4] = 0xc0a8d30b or ether[76:4] = 0xc0a8d30b\) and ether[73:1] = 0x01\)
Here we are filtering for any ICMP Packets that have 192.168.211.11 as the Source or Destination.
