Sunday, August 9, 2015

Part I: Capturing multicast traffic over PPTP VPN

To start with, when you have VPN connection set up in Linux usually you have 2 (or more) network interfaces in the system. Let's call it eno1 and ppp0 (at least as they called in my CentOS 7), where eno1 is physical interface while ppp0 is virtual one.

Capturing traffic is not difficult task itself, we can do it using tcpdump tool.

For example: tcpdump -i eno1 -w fileToSave.pcap

One question is what interface to capture on? Either eno1 or ppp0 ...
Below few examples of capturing multicast traffic on different network interfaces and results:


Example of traffic on eno1 interface.



Example of traffic on ppp0 interface.

Pay attention how packets are nested in case of capturing it on eno1 interfacce.

Issue

At this point we have fileToSave.pcap file with dump, but there is one small issue which could spoil everything :)

If you are using wireshark tool you can easily look at file incapsulation type in Statistics -> Summary menu ( it also could be done using capinfos  command line utility which goes together with wireshark ).


Encapsulation type of traffic in case of eno1 interface.








Encapsulation type of traffic in case of ppp0 interface











The main issue here is that before we could play our traffic with tcpreplay we have to do some preparation using tcprewrite utility, but tcprewrite does not work with pcap files with encapsulation type "Linux cooked-mode". If you try, you would get the following error message:
"DLT_LINUX_SLL pcap's must contain only ethernet packets"

More about linux cooked-mode you could read here: Linux cooked-mode capture (SLL)

Solution

I am proud to say that I work with collegues who found elegant solution of the issue.
So all points of this solution go to Denis Pynkin.

In my case it was decided to use traffic captured from ppp0 interface (with synthetic SLL header). But to use traffic later we have to convert SLL header to Ethernet II header. But how to do that? Pretty sure that you miss the fact, that Ethernet II header is only 14 bytes while SLL header is 16 bytes long J (go back to the pictures shown and look more carefully). Don’t worry I missed that as well. The solution was simple: just to cut 2 odd bytes from SLL header. That’s all. And it could be done using editcap tool.

editcap -C 2 -F pcap -T ether input-file-name.pcap output-file-name.pcap

Here is the short description from man page on the flags:

-C  <choplen>:                            Sets the chop length to use when writing the packet data. Each packet is chopped by a few <choplen> bytes of data.

-F <file format>:                         Sets the file format of the output capture file.

-T <encapsulation type>:          Sets the packet encapsulation type of the output capture file.

As result, we would have output-file-name.pcap with Ethernet encapsulation type.
In next articles we would see how trafic should be modified, in order to be played by tcpreplay.


Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)