Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

IDS interfaces and capturing the traffic

 

Information

 

Summary:

Description of network interfaces used by IDS module and hints for capturing the traffic there. 

Environment:

Product: Flowmon IDS

Version: Any

Platform: Any

Question/Problem Description:

What does the idsp_eth2_in/idsp_eth2_out mean?

How to filter VLAN traffic on idsp_eth2_out?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

IDS module is using interfaces idsp_eth2_in/idsp_eth2_out as a pipe (eth2 - the name of the monitoring port). Flow exporter is sending packets to idsp_eth2_in and Suricata is reading the packets from idsp_eth2_out. 

No traffic modification is done between in/out interfaces. 

It is possible to capture the traffic on these interfaces via tcpdump. 

Filtering VLANs in tcpdump captures:

1) Filtering on the IN interfaces works as expected. Example for filtering VLAN 118 (HEX representation is 0x0076, 0x8100 stands for L2 type 802.1Q):

[flowmon@localhost ~]$ tcpdump -i idsp_eth2_in -XX '(ether[12:2]=0x8100) and (ether[14:2]=0x0076)'
10:52:50.003999 IP 10.118.10.1 > 10.118.10.2: ICMP echo request, id 3, seq 0, length 80
0x0000: 001b d41b a4d8 0013 c3df ae18 8100 0076
0x0010: 8100 000a 0800 4500 0064 000f 0000 ff01 
0x0020: 929b 0a76 0a01 0a76 0a02 0800 ceb7 0003 
0x0030: 0000 0000 0000 001f af70 abcd abcd abcd 
0x0040: abcd abcd abcd abcd abcd abcd abcd abcd
0x0050: abcd abcd abcd abcd abcd abcd abcd abcd
0x0060: abcd abcd abcd abcd abcd abcd abcd abcd 
0x0070: abcd abcd abcd abcd abcd

2) Filtering VLANs on the OUT interface cannot be done the same way because tcpdump skips the 802.1Q header (highlighted with green color). Example:

[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out -XX '(ether[12:2]=0x8100) and (ether[14:2]=0x000a)'
10:41:43.564824 IP 10.118.10.1 > 10.118.10.2: ICMP echo request, id 3, seq 0, length 80
0x0000: 001b d41b a4d8 0013 c3df ae18 8100 0076 
0x0010: 8100 000a 0800 4500 0064 000f 0000 ff01
0x0020: 929b 0a76 0a01 0a76 0a02 0800 ceb7 0003 
0x0030: 0000 0000 0000 001f af70 abcd abcd abcd
0x0040: abcd abcd abcd abcd abcd abcd abcd abcd
0x0050: abcd abcd abcd abcd abcd abcd abcd abcd
0x0060: abcd abcd abcd abcd abcd abcd abcd abcd 
0x0070: abcd abcd abcd abcd abcd

Command explanation:

-XX - When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

filter ether[12:2] - filters 13. and 14. byte of the frame

Workaround:

It is possible to use a workaround to filter the VLAN ID for the OUT interface:

[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out -e '(ether[12:2]=0x8100)' | grep 'vlan 118'
10:57:39.295203 00:13:c3:df:ae:18 (oui Unknown) > 00:1b:d4:1b:a4:d8 (oui Unknown), ethertype 802.1Q (0x8100), length 122: vlan 118, p 0, ethertype 802.1Q, vlan 10, p 0, ethertype IPv4, 10.118.10.1 > 10.118.10.2: ICMP echo request, id 3, seq 0, length 80

Command explanation:

-e - Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.

Another way of workaround is:

[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out 'ether[14:2]=118 or vlan 118'
The first part of the filter (ether[14:2]=118) matches the VLAN 118 on the IN interface and the second part (vlan 118) matches it on the OUT interface.
Notes:  

Comments