enhanced lua scripts to decode Contrail data plane packets - lujiang2016/contrail GitHub Wiki
enhanced lua scripts for tshark/wireshark to decode inner packet header inside Contrail data plane packets
In some scenarios the Contrail package embeded lua script mpls_dissector.lua could not decode the inner packet header well inside the Contrail data plane packets.
root@aio69:~# cd /usr/share/contrail-utils/
root@aio69:/usr/share/contrail-utils# ls -alF *.lua
-rw-r--r-- 1 root root 6522 Dec 21 2017 agent_dissector.lua
-rw-r--r-- 1 root root 6823 Dec 21 2017 mpls_dissector.lua
For example, when the data plane packets are BUM traffic (destination MAC address is broadcast/multicast or not in bridge table).
MPLS over UDP layer2 BUM (ex. ARP) Format
'Ether/IP/UDP(dport=0x19eb|c8xx)/MPLS/CW/IP/UDP(dport=0x12b5)/VxLan/Ether/Payload'
MPLS over GRE layer2 BUM (ex. ARP) Format
'Ether/IP/GRE(proto=0x8847)/MPLS/CW/IP/UDP(dport=0x12b5)/VxLan/Ether/Payload'
More specifically these layer2 BUM packets have a 4 bytes all zero CW (control word) between MPLS header and inner IP header. And this CW is causing all the troubles in the tshark/wireshark packet decoding.
###[ XoMCW ]### <- extra 4 byte control word
zero= 0
reserved= 0
seq= 0
With the new enhanced lua scripts, now tshark/wireshark can decode these data plane BUM traffic packets pretty well (for both MPLS-over-UDP and MPLS-over-GRE respectively): https://gist.github.com/lujiang2016/0b73e88e529555d17069584c047aedf0/raw/58d03df0585b3772ee29e84c06f8c29e63e61022/mpls-over-udp-decode.lua https://gist.github.com/lujiang2016/16cfa563d7dca594eed1f1f9de000d13/raw/f88d12aed554ad7959601119b7518ee826d8ee1d/mpls-over-gre-decode.lua
root@aio69:~# dpkg -l | egrep -i tshark
ii tshark 1.12.1+g01b65bf-4+deb8u11ubuntu0.14.04.1 amd64 network traffic analyzer - console version
root@aio69:~# ls -aF *.lua
mpls-over-gre+xomcw-final.lua mpls-over-udp_xomcw-final.lua
root@aio69:~# tshark -r comp45-eth1-b-filtered.pcap -X lua_script:mpls-over-gre+xomcw-final.lua -X lua_script:mpls-over-udp_xomcw-final.lua
Running as user "root" and group "root". This could be dangerous.
1 0.000000 fe80::42:e6ff:fe5c:98eb -> ff02::16 ICMPv6 236 Multicast Listener Report Message v2
2 0.532280 02:5c:f5:f9:f1:68 -> Broadcast ARP 128 Who has 11.11.11.250? Tell 11.11.11.4
3 0.532402 02:5c:f5:f9:f1:68 -> Broadcast ARP 124 Who has 11.11.11.250? Tell 11.11.11.4
4 0.533117 02:f2:9c:0a:37:f6 -> 02:5c:f5:f9:f1:68 ARP 88 11.11.11.250 is at 02:f2:9c:0a:37:f6
5 0.533733 11.11.11.4 -> 11.11.11.250 ICMP 144 Echo (ping) request id=0x3c36, seq=0/0, ttl=64
6 0.535851 11.11.11.250 -> 11.11.11.4 ICMP 144 Echo (ping) reply id=0x3c36, seq=0/0, ttl=64 (request in 5)
7 1.532680 11.11.11.4 -> 11.11.11.250 ICMP 144 Echo (ping) request id=0x3c36, seq=1/256, ttl=64
8 1.533183 11.11.11.250 -> 11.11.11.4 ICMP 144 Echo (ping) reply id=0x3c36, seq=1/256, ttl=64 (request in 7)
9 2.781272 fe80::ff:3fff:fec8:9732 -> ff02::16 ICMPv6 236 Multicast Listener Report Message v2
10 3.004772 fe80::ff:3fff:fec8:9732 -> ff02::16 ICMPv6 236 Multicast Listener Report Message v2
root@aio69:~# tshark -r comp45-eth1-b-filtered.pcap -X lua_script:mpls-over-gre+xomcw-final.lua -X lua_script:mpls-over-udp_xomcw-final.lua -Y frame.number==2 -Vx
Running as user "root" and group "root". This could be dangerous.
Frame 2: 128 bytes on wire (1024 bits), 128 bytes captured (1024 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jul 23, 2018 18:14:10.064242000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1532394850.064242000 seconds
[Time delta from previous captured frame: 0.532280000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.532280000 seconds]
Frame Number: 2
Frame Length: 128 bytes (1024 bits)
Capture Length: 128 bytes (1024 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:mpls_udp:ip:udp:vxlan:eth:ethertype:arp]
Ethernet II, Src: Vmware_85:f8:e5 (00:50:56:85:f8:e5), Dst: Vmware_9e:35:f2 (00:50:56:9e:35:f2)
Destination: Vmware_9e:35:f2 (00:50:56:9e:35:f2)
Address: Vmware_9e:35:f2 (00:50:56:9e:35:f2)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Vmware_85:f8:e5 (00:50:56:85:f8:e5)
Address: Vmware_85:f8:e5 (00:50:56:85:f8:e5)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 172.18.41.45 (172.18.41.45), Dst: 172.18.41.46 (172.18.41.46)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 114
Identification: 0x2840 (10304)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xa7bb [validation disabled]
[Good: False]
[Bad: False]
Source: 172.18.41.45 (172.18.41.45)
Destination: 172.18.41.46 (172.18.41.46)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 54122 (54122), Dst Port: 51234 (51234)
Source Port: 54122 (54122)
Destination Port: 51234 (51234)
Length: 94
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 2]
MplsoUdp Protocol
Mpls Label: 4101
XoM CW: 0
Internet Protocol Version 4, Src: 172.18.41.45 (172.18.41.45), Dst: 172.18.41.45 (172.18.41.45)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 78
Identification: 0x283f (10303)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xa7e1 [validation disabled]
[Good: False]
[Bad: False]
Source: 172.18.41.45 (172.18.41.45)
Destination: 172.18.41.45 (172.18.41.45)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 54122 (54122), Dst Port: 4789 (4789)
Source Port: 54122 (54122)
Destination Port: 4789 (4789)
Length: 58
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 3]
Virtual eXtensible Local Area Network
Flags: 0x08
0... .... = Reserved(R): False
.0.. .... = Reserved(R): False
..0. .... = Reserved(R): False
...0 .... = Reserved(R): False
.... 1... = VXLAN Network ID(VNI): Present
...0 .... = Reserved(R): False
...0 .... = Reserved(R): False
...0 .... = Reserved(R): False
Reserved: 0x000000
VXLAN Network Identifier (VNI): 8
Reserved: 0
Ethernet II, Src: 02:5c:f5:f9:f1:68 (02:5c:f5:f9:f1:68), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: 02:5c:f5:f9:f1:68 (02:5c:f5:f9:f1:68)
Address: 02:5c:f5:f9:f1:68 (02:5c:f5:f9:f1:68)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: ARP (0x0806)
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: 02:5c:f5:f9:f1:68 (02:5c:f5:f9:f1:68)
Sender IP address: 11.11.11.4 (11.11.11.4)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 11.11.11.250 (11.11.11.250)
0000 00 50 56 9e 35 f2 00 50 56 85 f8 e5 08 00 45 00 .PV.5..PV.....E.
0010 00 72 28 40 00 00 40 11 a7 bb ac 12 29 2d ac 12 .r(@..@.....)-..
0020 29 2e d3 6a c8 22 00 5e 00 00 01 00 51 40 00 00 )..j.".^....Q@..
0030 00 00 45 00 00 4e 28 3f 00 00 40 11 a7 e1 ac 12 ..E..N(?..@.....
0040 29 2d ac 12 29 2d d3 6a 12 b5 00 3a 00 00 08 00 )-..)-.j...:....
0050 00 00 00 00 08 00 ff ff ff ff ff ff 02 5c f5 f9 .............\..
0060 f1 68 08 06 00 01 08 00 06 04 00 01 02 5c f5 f9 .h...........\..
0070 f1 68 0b 0b 0b 04 00 00 00 00 00 00 0b 0b 0b fa .h..............