[netsa-tools-discuss] need help to capturing Vxlan packet fields

Emily Sarneso ecoff at cert.org
Tue Apr 18 13:58:45 EDT 2017 

Hello Shahzada,

Unfortunately YAF does not currently capture and export this particular field.  If you wanted to modify the code to export the VNI field and have the ability to use the field in SiLK, the easiest way would be to either:

option 1
* create a new application labeling plugin.  This is probably the easiest option as you aren’t modifying the YAF code very much.  You can view examples of plugins in src/applabel/plugin.  You basically need to implement one function with the standard 6 arguments.  It should return 0 if it’s not a match and 1 if it is a match. Returning 1 will label the flow with the number you provided in the yafApplabelRules.conf.  If you return a nonzero number greater than 1, the flow will be labeled the value you return.  In this particular case, I would return the VNI so that you could search by applabel(VNI) in SiLK.  The only issue here is that the VNI is a 24bit integer and application labels are 16bits.  If VNIs are typically 0-65535, this would work.  Otherwise checkout option 2.  The payload parameter that is passed to your function would start with the VXLAN header which should make the code relatively trivial.  Make sure to add your new plugin to the src/applabel/plugins/Makefile.am and etc/yafApplabelRules.conf.  To make sure the other application labels do not conflict with the VNI, I would comment out the other statements in the yafApplabelRules.conf and only include your plugin.

option 2
* add code in decode.c to parse the VXLAN header and export the VNI field in the ingressInterface or egressInterface field.  The ingressInterface and egressInterface fields are 32 bit integers.  SiLK will collect these fields and you can search or view them using the in (13) and out (14) fields.

In either option, make sure you are using the --max-payload option to ensure that libpcap is passing the VXLAN header to YAF.

The correct way to export this field would be to create a new IPFIX element, but it would be very difficult to modify the SiLK code to effectively use the new field.  I have added the task to collect and export this field to the YAF to-do list but it is not a top priority at this time.

I hope my suggestions help.  Good luck!

Emily





> On Apr 17, 2017, at 12:46 PM, Shahzada Khurram <khurram at iub.edu.pk> wrote:
> 
> hi,
>     i,m  working on capture Vxlan traffic for analysis . but i,m facing problem to capturing the specific traffic. the problem is yaf capturing only 5 tuple but i want one more filed capture called "vni "(virtual network identifier ) as you can see below tcpdump output file. 
> 
> we need your help can you please tell us how can we do this. we want capture packets through yaf and send ipfix flows to silk for data analysis.
> 
> but in a initial stage of packet capturing we facing problem. please can you help us and tell the any way how can do this.
> 
> 
> my tcptump file output is below.
> 
> $ sudo tcpdump -i eth0
> 
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 02:44:33.810451 IP 172.16.10.10.47589 > 172.16.20.20.4789: VXLAN, flags [I] (0x08), vni 100
> IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4137, seq 13427, length 64
> 02:44:33.811835 IP 172.16.20.20.33610 > 172.16.10.10.4789: VXLAN, flags [I] (0x08), vni 100
> IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4137, seq 13427, length 64
> 02:44:34.798898 IP 172.16.20.20.48509 > 172.16.10.10.4789: VXLAN, flags [I] (0x08), vni 100
> ARP, Request who-has 10.0.0.1 tell 10.0.0.2, length 28
> 02:44:34.800752 IP 172.16.10.10.49749 > 172.16.20.20.4789: VXLAN, flags [I] (0x08), vni 100
> ARP, Reply 10.0.0.1 is-at 00:00:00:00:00:01 (oui Ethernet), length 28
> 02:44:34.813420 IP 172.16.10.10.47589 > 172.16.20.20.4789: VXLAN, flags [I] (0x08), vni 100
> IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4137, seq 13428, length 64
> 02:44:34.818988 IP 172.16.20.20.33610 > 172.16.10.10.4789: VXLAN, flags [I] (0x08), vni 100
> 
> 
> we capture live packets through yaf
> 
> $ yaf  --live=pcap --in=ens33 --force-read-all --out=/tmp/test1.yaf
> 
> then convert to readable flows.
> 
> $ yafscii --in=/tmp/test1.yaf --out=/tmp/test1.txt
> $ cat /tmp/test1.txt 
> 2017-04-17 07:41:47.467 - 07:42:00.604 (13.137 sec) udp 172.16.10.10:47589 => 172.16.20.20:4789 (14/1876 ->) eof
> 2017-04-17 07:41:47.467 - 07:42:00.605 (13.138 sec) udp 172.16.20.20:33610 => 172.16.10.10:4789 (14/1876 ->) eof
> 
> -- 
> Thanks
> 
> khurram
> 
> 
> 
>

More information about the netsa-tools-discuss mailing list