Vxlan Tcpdump

Материал из noname.com.ua
Версия от 09:24, 8 октября 2024; Sirmax (обсуждение | вклад)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к навигацииПерейти к поиску

Using TCPDUMP on TPVM to capture VXLAN Traffic

Это краткая копия статьи

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000120489

To inspect our VXLAN traffic we will take advantage of "byte offset" filters in TCPDUMP
We will tell TCPDUMP to scan specific bytes in the packet and match on the content found therein It can be difficult to know exactly the position of the bytes we are looking for, however, we will cover some tips for crafting the correct byte offset to meet your needs

Filter for all VXLAN traffic:

sudo tcpdump -veni eth1 -T vxlan

This will show all VXLAN traffic, however on a busy network the output may be overwhelming

Filter for a specific VNI:

sudo tcpdump -veni eth1 -T vxlan udp[11:4] = 3101

Here we tell TCPDUMP to inspect the UDP header, skipping to the 11th byte and looking at the next 4 bytes matching on 3101 3101 is the decimal value of the VNI we are looking for

Filter for Source/Destination IP on Inner IP header

sudo tcpdump -veni eth1 -T vxlan ether[76:4] = 0xc0a8d30b

Here we tell TCPDUMP to jump to the 76th byte of the packet and look at the next 4 bytes to match on the IP address > HEX value of 0xc0a8d30b

sudo tcpdump -veni eth1 -T vxlan ether[80:4] = 0xc0a8d30b

Immediately after the Source IP, the Destination IP is listed in the packet, so we again skip over the fist 76 bytes, and the 4 bytes of the Source IP, arriving at byte 80 where the next 4 bytes contain the Destination IP. IP Address > HEX:

192	168	211	11
c0	a8	d3	0b

Filter for ICMP Traffic

sudo tcpdump -veni eth1 -T vxlan ether[73:1] = 0x01

Lastly to filter for only ICMP traffic we can look at the single byte indicating the ICMP Protocol using the offset 73:1 This is based on a 64byte ping, larger pings will shift the location of the protocol value

Combining Offsets

These offsets can be combined using logical arguments like: and, or, not

sudo tcpdump -veni eth1 -T vxlan \(\(ether[80:4] = 0xc0a8d30b or ether[76:4] = 0xc0a8d30b\) and ether[73:1] = 0x01\)

Here we are filtering for any ICMP Packets that have 192.168.211.11 as the Source or Destination.