Extracting Capture port numbers from Filters

  • Updated on Dec 11, 2024
  • Published on Dec 11, 2024
  • 3 minute(s) read
  • aA
 Prev Next

Looking for what physical capture port a specific BPF filter was received on using the CLI.

Example is looking for

network 192.168.108.0/24

and

port 2049

Effectively looking for NFS traffic on a specific port number

The BPF filter would be

net 192.168.108.0/24 and port 2049

Extracting this using stream_cat and tcpdump 

sudo stream_cat  --bpf "net 192.168.108.0/24 and port 2049" fmad-sg2_20241211_0000 | tcpdump -r - -nn | head

Where sg2_20241211_0000 is the capture name found using stream_dump

Output looks something like this

fmadio@fmadio20v2-149:/mnt/store0/develop/system$ sudo stream_cat  --bpf "net 192.168.108.0/24 and port 2049" fmad-sg2_20241211_0000 | tcpdump -r - -nn | head
BPF Filter [net 192.168.108.0/24 and port 2049] slen: 34 alen: 34
reading from file -, link-type EN10MB (Ethernet), snapshot length 16384
00:00:00.689892055 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [P.], seq 149277826:149277946, ack 2733909000, win 24576, options [nop,nop,TS val 569584336 ecr 934681532], length 120: NFS request xid 1943967344 116 fsstat fh Unknown/01000700C035CC8B35000000313E378636F648B38DD7CF45518C7355
00:00:00.690126671 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [.], ack 89, win 24576, options [nop,nop,TS val 569584336 ecr 934682552], length 0
00:00:01.710248877 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [P.], seq 120:240, ack 89, win 24576, options [nop,nop,TS val 569585356 ecr 934682552], length 120: NFS request xid 1960744560 116 fsstat fh Unknown/01000700C035CC8B35000000313E378636F648B38DD7CF45518C7355
00:00:01.710472407 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [.], ack 177, win 24576, options [nop,nop,TS val 569585357 ecr 934683573], length 0
00:00:02.730215227 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [P.], seq 240:360, ack 177, win 24576, options [nop,nop,TS val 569586376 ecr 934683573], length 120: NFS request xid 1977521776 116 fsstat fh Unknown/01000700C035CC8B35000000313E378636F648B38DD7CF45518C7355
00:00:02.730419454 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [.], ack 265, win 24576, options [nop,nop,TS val 569586376 ecr 934684593], length 0
00:00:03.752000985 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [P.], seq 360:480, ack 265, win 24576, options [nop,nop,TS val 569587398 ecr 934684593], length 120: NFS request xid 1994298992 116 fsstat fh Unknown/01000700C035CC8B35000000313E378636F648B38DD7CF45518C7355
00:00:03.752199349 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [.], ack 353, win 24576, options [nop,nop,TS val 569587398 ecr 934685614], length 0
00:00:04.775277562 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [P.], seq 480:600, ack 353, win 24576, options [nop,nop,TS val 569588421 ecr 934685614], length 120: NFS request xid 2011076208 116 fsstat fh Unknown/01000700C035CC8B35000000313E378636F648B38DD7CF45518C7355
00:00:04.775412263 IP 192.168.108.10.949 > 192.168.91.10.2049: Flags [.], ack 441, win 24576, options [nop,nop,TS val 569588421 ecr 934686638], length 0
.

Extract the physical port numbers can then pipe the output into utility capinfos2. Note the stream_cat requires the —chunked flag for this to work

Example command

 sudo stream_cat --chunked  --bpf "net 192.168.108.0/24 and port 2049" fmad-sg2_20241211_0000 | capinfos2 -v --histo-port

With the following output

fmadio@fmadio20v2-149:/mnt/store0/develop/system$ sudo stream_cat --chunked  --bpf "net 192.168.108.0/24 and port 2049" fmad-sg2_20241211_0000 | capinfos2 -v --histo-port
Enable Port Histogram
calibrating...
Chunked Packet output
BPF Filter [net 192.168.108.0/24 and port 2049] slen: 34 alen: 34
stream_cat ioqueue: 5
calibrating...
0 : 2100010212           2.1000 cycles/nsec offset:0.010 Mhz
Cycles/Sec 2100010212.0000 Std:       0 cycle std(  0.00000000) Target:2.10 Ghz
0 : 2100010566           2.1000 cycles/nsec offset:0.011 Mhz
Cycles/Sec 2100010566.0000 Std:       0 cycle std(  0.00000000) Target:2.10 Ghz
StartChunkID: 172846708
StartChunk: 172846708 Offset: 0 Stride: 1
StartChunk: 172846708
FMAD Format Chunked
0.00GB    0.000 Gbps    0.000 Mpps SeqError:0
0.00GB    0.001 Gbps    0.001 Mpps SeqError:0
0.00GB    0.000 Gbps    0.000 Mpps SeqError:0
0.00GB    0.001 Gbps    0.001 Mpps SeqError:0
^Cctrl-c 0
capinfos sig
Total Packets: 2583
20241211_095401 4.233s : Pkt:2585 Byte:342108 SUCCESS
TotalBytes     : 336474
TotalPackets   : 2583
PayloadCRC     : 6febfea429cd
ErrorSeq       : 0
ErrorPktSize   : 0
LastByte       : 0x00000000
SeqStart       : 0x00000000 0x00000000 0x00000000 0x00000000 : 0x00000000
SeqEnd         : 0x00000000 0x00000000 0x00000000 0x00000000 : 0x00000000
PacketCnt      : 0 0 0 0
TimeOrder      : 0
CRCFail        : 0
CRCFailFNIC    : 0
Time First     : 20241211_000000 16:00:00.689.892.055 (1733846400.689892055)
Time Last      : 20241211_002135 16:21:35.774.401.600 (1733847695.774401600)
TotalPCAPTime  : 1295084509545 ns (21.585min)
Bandwidth      : 0.000 Gbps
Packet Rate    : 0.000 Mpps

Port Histogram:
  Port:0 Pkt:        2583 Byte:      336474
  Port:1 Pkt:           0 Byte:           0
  Port:2 Pkt:           0 Byte:           0
  Port:3 Pkt:           0 Byte:           0
  Port:4 Pkt:           0 Byte:           0
  Port:5 Pkt:           0 Byte:           0
  Port:6 Pkt:           0 Byte:           0
  Port:7 Pkt:           0 Byte:           0
Complete
fmadio@fmadio20v2-149:/mnt/store0/develop/system$

In the above we can see the packets are found on the physical Port 0  (cap0) in the Port Histogram.