Wireshark Captured Packets

  • Updated on Dec 18, 2024
  • Published on Dec 17, 2024
  • 6 minute(s) read
  • jM
  • aA
 Prev Next

Wireshark requires data to be of any utility. One of the nice features of the FMADIO system is its flexibility to filter route and display packets of different types.

In this example we are using the real-time packet view in Wireshark to analyze packets.

Step 1) Select the FMAD ring remote capture  

Select the interface

FMAD ring remote capture: extcapfmad

By double clicking on the interface

This will show a blank wireshark page as shown below. Note the life capture is running

Step 2) Confirm LXC Ring

By default the FShark2 container will create an FMADIO Ring named

/opt/fmadio/queue/lxc_fshark2

This can be confirmed using the command

fmadiocli "show ring status"

Example output:

fmad fmadlua Dec 16 2024 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli show ring status )
Disable cycle calibration
[Tue Dec 17 13:06:03 2024] CmdLine [show ring status]
[Tue Dec 17 13:06:03 2024] Cmd [show ring status ]
[Tue Dec 17 13:06:03 2024] Name                                     : Path                                                         :     Status :          Pkt Put :          Pkt Get : Pkt Queued : Desc
[Tue Dec 17 13:06:03 2024] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
[Tue Dec 17 13:06:03 2024] lxc_fshark2                              : /opt/fmadio/queue/lxc_fshark2                                :     online :                0 :                0 :          0 :
[Tue Dec 17 13:06:03 2024] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
done 0.040417Sec 0.000674Min
fmadio@fmadio200v4-636:/opt/fmadio/etc$

Step 3) Offline BPF Filtered packets to the LXC Ring

Start by sending some previously captured traffic to the LXC Ring. In this example we all ARP traffic in the historical capture is sent to the ring

Using the command

sudo stream_cat -v --ring /opt/fmadio/queue/lxc_fshark2 --ring-filter-bpf /opt/fmadio/queue/lxc_fshark2 "arp" <capture name>

This will send the specified captures BPF Filtered ARP traffic into wireshark. Note the double quotes around the BPF filter is required.

Example output:

fmadio@fmadio200v4-636:~$ sudo stream_cat -v --ring /opt/fmadio/queue/lxc_fshark2 --ring-filter-bpf /opt/fmadio/queue/lxc_fshark2 "arp" wan0_20241217_1319
Create FMAD Ring: 0 [/opt/fmadio/queue/lxc_fshark2]
BPF Filter [arp] slen: 3 alen: 3
stream_cat ioqueue: 4
TimeStamp[0] --pcap
TimeStamp[1] --pcap
TimeStamp[2] --pcap
TimeStamp[3] --pcap
TimeStamp[4] --pcap
TimeStamp[5] --pcap
TimeStamp[6] --pcap
TimeStamp[7] --pcap
RING[/opt/fmadio/queue/lxc_fshark2                     ] 00 : CPU:   0 FilterBPF:[(null)] FilterFrame:[(null)]
calibrating...
0 : 2749992135           2.7500 cycles/nsec offset:0.008 Mhz
Cycles/Sec 2749992135.0000 Std:       0 cycle std(  0.00000000) Target:2.75 Ghz
StartChunkID: 6338017
StartChunk: 6338017 Offset: 0 Stride: 1
StartChunk: 6338017
RING[/opt/fmadio/queue/lxc_fshark2                     ] Size   : 12595200 16777216
RING[/opt/fmadio/queue/lxc_fshark2                     ] Version:      100      100
RING[/opt/fmadio/queue/lxc_fshark2                     ] Put:6a98cd cd 0x7fe9cfb34000
RING[/opt/fmadio/queue/lxc_fshark2                     ] Get:6a98cd cd 0x7fe9cfb35000
RING[/opt/fmadio/queue/lxc_fshark2                     ] thread:0
RING[/opt/fmadio/queue/lxc_fshark2                     ] worker thread start
{"tstr":"20241217_132247", "timestamp":1734412967,"PktCnt":               0, "PktByte":               0, "ChunkID":6338017,"PCAPTS":"00:00:00.000.000.000","PendingB":49860575232,"Read_bps":0,"Read_pps":0,"Write_bps":0,"Write_pps":0,"FwdPct":0.000,""CPUIdle":0.000,"CPUFetch":0.560, "CPUSend":0.000}
{"tstr":"20241217_132248", "timestamp":1734412968,"PktCnt":          510758, "PktByte":       366960676, "ChunkID":6339455,"PCAPTS":"20:00:03.759.406.113","PendingB":49483612160,"Read_bps":2933273899,"Read_pps":510338,"Write_bps":5859534220,"Write_pps":1020677,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.282, "CPUSend":0.000}
{"tstr":"20241217_132249", "timestamp":1734412969,"PktCnt":         1002736, "PktByte":       798179946, "ChunkID":6341130,"PCAPTS":"20:00:07.453.379.265","PendingB":49044520960,"Read_bps":3443877550,"Read_pps":491141,"Write_bps":6878194176,"Write_pps":982283,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.329, "CPUSend":0.000}
{"tstr":"20241217_132250", "timestamp":1734412970,"PktCnt":         1513100, "PktByte":      1154918776, "ChunkID":6342522,"PCAPTS":"20:00:11.297.875.278","PendingB":48679616512,"Read_bps":2853104355,"Read_pps":510218,"Write_bps":5699369260,"Write_pps":1020437,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.274, "CPUSend":0.000}
{"tstr":"20241217_132251", "timestamp":1734412971,"PktCnt":         2030128, "PktByte":      1479828590, "ChunkID":6343793,"PCAPTS":"20:00:15.832.633.068","PendingB":48346431488,"Read_bps":2598102608,"Read_pps":516794,"Write_bps":5190322807,"Write_pps":1033588,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.248, "CPUSend":0.000}
{"tstr":"20241217_132252", "timestamp":1734412972,"PktCnt":         2506422, "PktByte":      1966626442, "ChunkID":6345679,"PCAPTS":"20:00:24.660.037.680","PendingB":47852027904,"Read_bps":3893726139,"Read_pps":476214,"Write_bps":7776608011,"Write_pps":952427,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.376, "CPUSend":0.000}
{"tstr":"20241217_132253", "timestamp":1734412973,"PktCnt":         2962091, "PktByte":      2541555058, "ChunkID":6347900,"PCAPTS":"20:00:33.408.728.815","PendingB":47269806080,"Read_bps":4599003615,"Read_pps":455627,"Write_bps":9185303526,"Write_pps":911253,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.444, "CPUSend":0.000}
{"tstr":"20241217_132254", "timestamp":1734412974,"PktCnt":         3416285, "PktByte":      3118358976, "ChunkID":6350128,"PCAPTS":"20:00:42.413.531.783","PendingB":46685749248,"Read_bps":4613301305,"Read_pps":454083,"Write_bps":9213208847,"Write_pps":908166,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.445, "CPUSend":0.000}
{"tstr":"20241217_132255", "timestamp":1734412975,"PktCnt":         3876476, "PktByte":      3687703132, "ChunkID":6352328,"PCAPTS":"20:00:53.797.779.165","PendingB":46109032448,"Read_bps":4553654815,"Read_pps":460080,"Write_bps":9094476262,"Write_pps":920160,"FwdPct":2.000,""CPUIdle":0.000,"CPUFetch":0.440, "CPUSend":0.000}
.
.

Step 4) View and debug in Wireshark

The above stream_cat filtering for ARP traffic only, thus only ARP traffic will show in Wireshark as shown below

Optional 1) Push to Wireshark Realtime

In addition to pushing historical data into wireshark for analysis, realtime data can be pushed to wireshark also.

NOTE: Wireshark processing is very slow, its recommended to highly filter the traffic  / not send huge amounts of data to Wireshark for analysis

To push for example ARP traffic from the realtime capture into Wireshark run the following on the host. In this case we are filtering on ARP packets which have a VLAN tag

sudo stream_cat -v --follow --ring /opt/fmadio/queue/lxc_fshark2 --ring-filter-bpf /opt/fmadio/queue/lxc_fshark2 "vlan and arp"

Example output on the host:

fmadio@fmadio200v4-636:~$ sudo stream_cat -v --follow --ring /opt/fmadio/queue/lxc_fshark2 --ring-filter-bpf /opt/fmadio/queue/lxc_fshark2 "vlan and arp"
stream_cat: follow mode
Create FMAD Ring: 0 [/opt/fmadio/queue/lxc_fshark2]
found ring: [/opt/fmadio/queue/lxc_fshark2] id:0
FMAD Ring: 0 [/opt/fmadio/queue/lxc_fshark2] FilterBPF [vlan and arp]
stream_cat ioqueue: 4
Using Filename [asdf_20241217_1331]
TimeStamp[0] --pcap
TimeStamp[1] --pcap
TimeStamp[2] --pcap
TimeStamp[3] --pcap
TimeStamp[4] --pcap
TimeStamp[5] --pcap
TimeStamp[6] --pcap
TimeStamp[7] --pcap
RING[/opt/fmadio/queue/lxc_fshark2                     ] 00 : CPU:   0 FilterBPF:[vlan and arp] FilterFrame:[(null)]
calibrating...
0 : 2749991722           2.7500 cycles/nsec offset:0.008 Mhz
Cycles/Sec 2749991722.0000 Std:       0 cycle std(  0.00000000) Target:2.75 Ghz
StartChunkID: 9445591
StartChunk: 9445591 Offset: 0 Stride: 1
StartChunk: 9445591
RING[/opt/fmadio/queue/lxc_fshark2                     ] Size   : 12595200 16777216
RING[/opt/fmadio/queue/lxc_fshark2                     ] Version:      100      100
RING[/opt/fmadio/queue/lxc_fshark2                     ] Put:aea512 112 0x7fe70a934000
RING[/opt/fmadio/queue/lxc_fshark2                     ] Get:aea512 112 0x7fe70a935000
RING[/opt/fmadio/queue/lxc_fshark2                     ] thread:0
RING[/opt/fmadio/queue/lxc_fshark2                     ] worker thread start
{"tstr":"20241217_134453", "timestamp":1734414293,"PktCnt":               0, "PktByte":               0, "ChunkID":9445591,"PCAPTS":"00:00:00.000.000.000","PendingB":22020096,"Read_bps":0,"Read_pps":0,"Write_bps":0,"Write_pps":0,"FwdPct":0.000,""CPUIdle":0.000,"CPUFetch":0.591, "CPUSend":0.000}
{"tstr":"20241217_134455", "timestamp":1734414295,"PktCnt":          128776, "PktByte":        12881792, "ChunkID":9445648,"PCAPTS":"05:44:41.495.997.900","PendingB":7864320,"Read_bps":64688307,"Read_pps":80834,"Write_bps":60122842,"Write_pps":80850,"FwdPct":1.000,""CPUIdle":0.993,"CPUFetch":0.006, "CPUSend":0.000}
{"tstr":"20241217_134456", "timestamp":1734414296,"PktCnt":          130876, "PktByte":        13110336, "ChunkID":9445649,"PCAPTS":"05:44:42.058.234.701","PendingB":7864320,"Read_bps":1682746,"Read_pps":1933,"Write_bps":1574762,"Write_pps":1933,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134457", "timestamp":1734414297,"PktCnt":          132609, "PktByte":        13344752, "ChunkID":9445650,"PCAPTS":"05:44:42.803.097.924","PendingB":7864320,"Read_bps":1638468,"Read_pps":1514,"Write_bps":1550755,"Write_pps":1514,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134459", "timestamp":1734414299,"PktCnt":          139285, "PktByte":        14024368, "ChunkID":9445653,"PCAPTS":"05:44:44.095.285.151","PendingB":7864320,"Read_bps":2965744,"Read_pps":3642,"Write_bps":2758321,"Write_pps":3642,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134500", "timestamp":1734414300,"PktCnt":          144100, "PktByte":        14471616, "ChunkID":9445655,"PCAPTS":"05:44:44.743.005.040","PendingB":7864320,"Read_bps":2992603,"Read_pps":4027,"Write_bps":2763191,"Write_pps":4027,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134502", "timestamp":1734414302,"PktCnt":          152410, "PktByte":        15387232, "ChunkID":9445659,"PCAPTS":"05:44:47.024.734.337","PendingB":7864320,"Read_bps":5464953,"Read_pps":6200,"Write_bps":5109313,"Write_pps":6201,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134503", "timestamp":1734414303,"PktCnt":          156767, "PktByte":        15841808, "ChunkID":9445661,"PCAPTS":"05:44:47.827.131.406","PendingB":7864320,"Read_bps":2440997,"Read_pps":2925,"Write_bps":2274377,"Write_pps":2925,"FwdPct":1.000,""CPUIdle":1.000,"CPUFetch":0.000, "CPUSend":0.000}
{"tstr":"20241217_134504", "timestamp":1734414304,"PktCnt":          169548, "PktByte":        17210176, "ChunkID":9445667,"PCAPTS":"05:44:49.951.941.341","PendingB":8126464,"Read_bps":10936374,"Read_pps":12769,"Write_bps":10209445,"Write_pps":12774,"FwdPct":1.000,""CPUIdle":0.999,"CPUFetch":0.001, "CPUSend":0.000}
{"tstr":"20241217_134505", "timestamp":1734414305,"PktCnt":          208606, "PktByte":        21565984, "ChunkID":9445686,"PCAPTS":"05:45:00.287.599.845","PendingB":21495808,"Read_bps":34841133,"Read_pps":39052,"Write_bps":32603812,"Write_pps":39063,"FwdPct":1.000,""CPUIdle":0.996,"CPUFetch":0.003, "CPUSend":0.000}
{"tstr":"20241217_134506", "timestamp":1734414306,"PktCnt":          236882, "PktByte":        39201504, "ChunkID":9445755,"PCAPTS":"05:45:04.806.492.949","PendingB":7864320,"Read_bps":140829069,"Read_pps":28225,"Write_bps":138276692,"Write_pps":28229,"FwdPct":1.000,""CPUIdle":0.994,"CPUFetch":0.006, "CPUSend":0.000}
{"tstr":"20241217_134507", "timestamp":1734414307,"PktCnt":          263493, "PktByte":        43756464, "ChunkID":9445774,"PCAPTS":"05:45:05.884.812.442","PendingB":13369344,"Read_bps":36433747,"Read_pps":26607,"Write_bps":35638085,"Write_pps":26607,"FwdPct":1.000,""CPUIdl
.
.

Example output in Wireshark

NOTE: If the number of packets forwarded into Wireshark is quite small, there may be delays before the packets show up in Wireshark due to small internal buffering.

Optional 2) Send per Capture Port traffic to Wireshark

When setting up patching and switch configuration sometimes its helpful to see traffic from a specific capture port only. This can aid in troubleshooting

To filter on a specific physical capture port (e.g. cap0, cap1, cap2, cap3) and a BPF filter the following command can be used

sudo stream_cat -v --follow --ring /opt/fmadio/queue/lxc_fshark2 --ring-filter-bpf /opt/fmadio/queue/lxc_fshark2 "ether proto 0x88cc" --ring-filter-frame /opt/fmadio/queue/lxc_fshark2 "capture.port=0"

Note: the capture.port=0 filter setting, this can be changed to capture.port=1 or any other combination of capture ports.

The resulting Wireshark output in this case is all LLDP traffic (ethertype protocol 0×88cc)