How to perform a TCPDump on NPM8600 span ports with IPv6 address filters

Article Id: 168014
Status: Published
Updated On: 13-05-2017 11:10
Legacy Id: TECH244308
Products:
XOS
Issue/Introduction:

Explains how to limit the type of syslog messages sent from the VAP (APM) to the CPMN/A

Cause:

Customers using NPM 86x0 would like to perform tcpdump on the physical interface using a mirror port. Due to the NPM6 architecture and the use of VLAN stacking we are unable to use the TCPDUMP filters.

Resolution:

Technical Considerations

The NPM 6 is using VLAN stacking to identify the Physical port at the EZChip level and the inner VLAN tag corresponds to the VLAN tag received from the ethernet wire.
At that point, TCPDump software provided onto the NPM does not let the user the ability to setup regular libpcap filters to match on the host or protocol portion.

The solution is:

1) Telnet to the NPM on which you want to monitor ports

  telnet npmx

2) Set the monitoring parameters

  cd /crossbeam/tools
  ./cbsif smcfg xxx 21 8100

xxx represents the bitmask decimal conversion of the physical port

11 10 9 8 7 6 5 4 3 2 1
 x  x x x x x x x x x x

For example:

  • If the monitoring is set on port 4 the bitmask will then be 008
  • If the monitoring is set on port 2 and 8 the bitmask will be 082

21 represents eth2 from the Octeon perspective

8100 is the TPID to have the additional VLAN header in the TCPDump traces.

3) change the interface state

ifconfig eth2 up

4) perform the tcpdump

tcpdump -ni eth2

This packet is untagged at the physical interface level

02:13:40.430112 00:00:0d:00:00:00 (oui Unknown) > 00:00:0d:00:01:00 (oui Unknown), ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype IPv4, 12.0.0.17 > 11.0.2.14: ICMP echo reply, id 0, seq 0, length 26

This packet is tagged at the physical interface level

02:18:42.050406 00:00:00:00:00:77 (oui Ethernet) > 00:01:0e:00:77:00 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype 802.1Q, vlan 100, p 0, ethertype IPv4, 2.0.0.2.63 > 7.0.0.2.63: UDP, length 18


5) Filtering a host using TCPDump on the NPM:

If you need to add filters to the TCPdump you then need to calculate the offset for the given traffic to select. The offset are from the beginning of the ethernet frame without the preamble. However offsets needs to take into account the Vlan header coming from the physical interface. The Crossbeam-specific VLAN header added will have to be taken into consideration.

The following offsets are used for calculation:
Ethernet header = 14 bytes
Vlan (Crossbeam physical interface) = 4 bytes
Vlan (real vlan onto the wire) = 4 bytes

As a consequence. a host selection needs to be handled bidirectionally and offsets have to be calculated manually.
Assume that the host we want to filter has the following IPv6 address:
2a01:0135:abcd:f280:240:abff:fefe:f119
We have to convert it from the standard notation to the hex value by removing the ':' between digits and add the various zeros in between.

Please note that the following IPv6 addresses are equivalent from the notation perspective but needs to be converted to the full representation of the address for the TCPdump filter:

2001:0db8:0:85a3:0:0:ac1f:8001
2001:db8:0:85a3:0:0:ac1f:8001
2001:db8:0:85a3::ac1f:8001


On a Non VLAN tagged frame on the interface:
SRC IP address offset will be at byte 26
DST IP address offset will be at byte 42

tcpdump -ni xxxx ' ( ether[26:16]=0x2a010135abcdf2800240abfffefef119 ) or ( ether[42:16] = 0x2a010135abcdf2800240abfffefef119 )


On a VLAN tagged frame on the interface:
SRC IP address offset will be at byte 30
DST IP address offset will be at byte 46

tcpdump -ni xxxx ' ( ether[30:16]=0x2a010135abcdf2800240abfffefef119 ) or ( ether[46:16] = 0x2a010135abcdf2800240abfffefef119 )


If you need to match both source and destination, the following TCPdump filter can be used assuming the second host IP address is 0x2a010135abcdf2800240abeeeefef119.

On a VLAN tagged frame on the interface:

tcpdump -ni xxxx ' ( ether[26:16]=0x2a010135abcdf2800240abfffefef119 and ether [42:16]=0x2a010135abcdf2800240abeeeefef119 ) or ( ether[26:16] = 0x2a010135abcdf2800240abeeeefef119 and ether[42:16]=0x2a010135abcdf2800240abfffefef119 )

On a Non VLAN tagged frame on the interface:

tcpdump -ni xxxx ' ( ether[30:16]=0x2a010135abcdf2800240abfffefef119 and ether [46:16]=0x2a010135abcdf2800240abeeeefef119 ) or ( ether[30:16] = 0x2a010135abcdf2800240abeeeefef119 and ether[46:16]=0x2a010135abcdf2800240abfffefef119 )

NOTE:
IPv6 protocol offsets are variable and the IPv6 header can be composed of multiple headers. It is hence very difficult to match a specific offset for L4 or higher protocol elements and we do recommnd to use a raw capture of a conversation between hosts or subnets and perform the analysis using a proper tracefile analyser tool like Wireshark.

However, assuming the traffic is not fragmented and no other IPv6 options are set, you may try to detect a given protocol like TCP/UDP/ICMP you may match the IPv6 next-header selector to select a specific protocol.

For example:

To match TCP protocol on non IPv6 fragmented traffic and non-vlan tagged frame :

tcpdump -ni eth1 '( ether[18] & 127 >= 96 ) and ether[24] = 0x06'


To match TCP protocol on non IPv6 fragmented traffic and VLAN tagged frame :

tcpdump -ni eth1 '( ether[22] & 127 >= 96 ) and ether[28] = 0x06'

Workaround

N/A