In alot of cases when a SPAN or MIRROR port is setup and sent to a packet capture device, the exact packet encapsulation framing can be complicated.
Understanding what the VLAN, VXLAN, MPLS, GRE tunnel encapsulation formatting of a packet can be quite helpful.
Inner IP address Encapsulation
Many times the exact packet encapsulation is unclear, the following uses a wireshark filter expression to extract and show the full encapsulation format of the packet. From this a high speed BPF filter can be used to process the data.
In the below example we are using the Wireshark filter "ip.addr == 192.168.1.1" on a historical capture.
curl -u fmadio:xxxx "http://127.0.0.1/api/v1/pcap/timerange?
TSBegin=1666706401000000000&
TSEnd=1666706401010000000"
| tshark -r - -T fields -e frame.protocols -e ip.src -e ip.dst
-Y "ip.addr == 192.168.1.1"
Alternatively running on the currently running capture via SSH on the fmadio box looks like the following. This example filters on any UDP traffic.
sudo stream_cat
| tshark -r - -T fields -e frame.protocols -e ip.src -e ip.dst -Y "udp"
| headThe output looks like the following
eth:ethertype:vlan:ethertype:ip:udp:ntp 106.10.186.200 192.168.133.10
eth:ethertype:vlan:ethertype:ip:udp:ntp 106.10.186.201 192.168.133.10
eth:ethertype:vlan:ethertype:ip:udp:ntp 167.172.70.21 192.168.133.10
eth:ethertype:vlan:ethertype:ip:udp:ntp 106.10.186.200 192.168.133.10
eth:ethertype:vlan:ethertype:ip:udp:ntp 106.10.186.201 192.168.133.10
eth:ethertype:vlan:ethertype:ip:udp:ntp 167.172.70.21 192.168.133.10
The above output shows there is a single VLAN tag in the packet. Making the equivalent BPF filter
vlan and udp
With the final BPF filter using a CURL request
curl -u fmadio:xxxxx "http://127.0.0.1/api/v1/pcap/timerange?
TSBegin=1671407102&
TSEnd=1671407752&
TSMode=sec&"
-G --data-urlencode "FilterBPF=vlan and udp"
| tcpdump -r - -n
| headOutput per below
23:47:45.409489 IP 106.10.186.201.123 > 192.168.133.10.123: NTPv4, Server, length 48
23:52:14.407364 IP 167.172.70.21.123 > 192.168.133.10.123: NTPv4, Server, length 48
23:55:42.405072 IP 106.10.186.200.123 > 192.168.133.10.123: NTPv4, Server, length 48
Histogram of Encapsulation
Finally summary histogram of all the encapsulation formats matching a UDP Wireshark filter, can be found using
sudo stream_cat -v <insert capture name> | tshark -r - -T fields -e frame.protocols -Y "udp" | head -n 1000000 | sort -n | uniq -c | sort -nNOTE: it can take a long time to process large PCAPs, thus the head -n 1000000 this will process only the first 1M packets. This number can be changed based on the environment.
2 eth:ethertype:vlan:ethertype:ip:udp:quic
4 eth:ethertype:vlan:ethertype:ip:udp:data
4 eth:ethertype:vlan:ethertype:ipv6:udp:dhcpv6
6 eth:ethertype:ip:udp:quic
8 eth:ethertype:ipv6:udp:ssdp
16 eth:ethertype:vlan:ethertype:ipv6:udp:ssdp
17 eth:ethertype:ip:udp:data
20 eth:ethertype:ip:udp:dns
24 eth:ethertype:ieee8021ad:ethertype:vlan:ethertype:ip:udp:ssdp
24 eth:ethertype:vlan:ethertype:ieee8021ad:ethertype:vlan:ethertype:ip:udp:ssdp
36 eth:ethertype:ip:udp:ptp
38 eth:ethertype:vlan:ethertype:ip:udp:dns
64 eth:ethertype:ip:udp:ssdp
108 eth:ethertype:vlan:ethertype:ip:udp:ptp
120 eth:ethertype:vlan:ethertype:ip:udp:ssdp
342 eth:ethertype:ip:udp:dcerpc
Same capture but filtering for TCP instead of UDP
fmadio@fmadio20v2-149:/mnt/store0/develop$ sudo stream_cat -v -n 100000 fmad-sg2 | tshark -r - -T fields -e frame.protocols -Y "tcp" | head -n 10000 | sort -n | uniq -c | sort -n
Follow Pre Cnt 100000
stream_cat ioqueue: 5
TimeStamp[0] --pcap
TimeStamp[1] --pcap
TimeStamp[2] --pcap
TimeStamp[3] --pcap
TimeStamp[4] --pcap
TimeStamp[5] --pcap
TimeStamp[6] --pcap
TimeStamp[7] --pcap
[20241213_000331] 0M Offset: 0GB Pkt:1733833966_374685511 Length: 264 Capture: 264 ChunkID:171982644 Read[0.004Gbps 0.002 Mpps Pkt:1] Write[0.004Gbps 0.002 Mpps Pkt:1] CPUIdle:0.000 CPUFetch:0.231 CPUProcss:0.454 CPUSend:0.315
1 eth:ethertype:vlan:ethertype:ip:tcp:nbss
11 eth:ethertype:ip:tcp:ssl:ssl
11 eth:ethertype:vlan:ethertype:ip:tcp:ssl:ssl
52 eth:ethertype:vlan:ethertype:ip:tcp:ssh
74 eth:ethertype:ip:tcp:ssh
138 eth:ethertype:ip:tcp:rpc:nfs
295 eth:ethertype:vlan:ethertype:ip:tcp:rpc:nfs
315 eth:ethertype:ip:tcp:ssl
326 eth:ethertype:vlan:ethertype:ip:tcp:ssl
1113 eth:ethertype:ip:tcp
1180 eth:ethertype:vlan:ethertype:ip:tcp:data
1600 eth:ethertype:ip:tcp:data
4884 eth:ethertype:vlan:ethertype:ip:tcp