[netsa-tools-discuss] need help to capturing Vxlan packet fields

Shahzada Khurram khurram at iub.edu.pk
Mon Apr 17 12:46:05 EDT 2017


hi,
    i,m  working on capture Vxlan traffic for analysis . but i,m facing
problem to capturing the specific traffic. the problem is yaf capturing
only 5 tuple but i want one more filed capture called "vni "(virtual
network identifier ) as you can see below tcpdump output file.

we need your help can you please tell us how can we do this. we want
capture packets through yaf and send ipfix flows to silk for data analysis.

but in a initial stage of packet capturing we facing problem. please can
you help us and tell the any way how can do this.


my tcptump file output is below.

$ sudo tcpdump -i eth0

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:44:33.810451 IP 172.16.10.10.47589 > 172.16.20.20.4789: VXLAN, flags [I]
(0x08), vni 100
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4137, seq 13427, length 64
02:44:33.811835 IP 172.16.20.20.33610 > 172.16.10.10.4789: VXLAN, flags [I]
(0x08), vni 100
IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4137, seq 13427, length 64
02:44:34.798898 IP 172.16.20.20.48509 > 172.16.10.10.4789: VXLAN, flags [I]
(0x08), vni 100
ARP, Request who-has 10.0.0.1 tell 10.0.0.2, length 28
02:44:34.800752 IP 172.16.10.10.49749 > 172.16.20.20.4789: VXLAN, flags [I]
(0x08), vni 100
ARP, Reply 10.0.0.1 is-at 00:00:00:00:00:01 (oui Ethernet), length 28
02:44:34.813420 IP 172.16.10.10.47589 > 172.16.20.20.4789: VXLAN, flags [I]
(0x08), vni 100
IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4137, seq 13428, length 64
02:44:34.818988 IP 172.16.20.20.33610 > 172.16.10.10.4789: VXLAN, flags [I]
(0x08), vni 100


we capture live packets through yaf

$ yaf  --live=pcap --in=ens33 --force-read-all --out=/tmp/test1.yaf

then convert to readable flows.

$ yafscii --in=/tmp/test1.yaf --out=/tmp/test1.txt
$ cat /tmp/test1.txt
2017-04-17 07:41:47.467 - 07:42:00.604 (13.137 sec) udp 172.16.10.10:47589
=> 172.16.20.20:4789 (14/1876 ->) eof
2017-04-17 07:41:47.467 - 07:42:00.605 (13.138 sec) udp 172.16.20.20:33610
=> 172.16.10.10:4789 (14/1876 ->) eof

-- 

*Thanks*

*khurram*
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list