GUE dissection support #510
Conversation
No interpretation of flags and other fields, they are not described in detail in the I-D yet. Do dissect the inner packet which is the most useful.
|
I've merged recent changes, this PR should apply cleanly against master now. |
| case 0: | ||
| gue_print_0(ndo, bp, len); | ||
| break; | ||
| default: |
There was a problem hiding this comment.
Would you like to add support for version 0x1?
There was a problem hiding this comment.
I'll need some dumps to do so, I don't have any so far which makes writing (and testing) that a little bit hard. Will update this PR once that (and the other changes) are done.
|
Regarding the port numbers, Section 5.6.2 of the Internet-Draft discusses a use of a magic number. That may be a more reliable means of telling the packets apart but the spec would need to have it as a normative statement rather than as a potential future approach. Maybe you would like to discuss this with the document authors as the root of the problem seems to be there. The magic number support in tcpdump should not be difficult per se. |
|
Regarding magic numbers, I'm told that's most likely going to get removed from the next draft version, so better not to add support for it. So what I'll do is add support for version 1 and squash the commits back into one. |
|
Sorry for the long delay on this :-( So magic numbers are going to get removed, I think it should be okay to not support those then? And for GUEv1, I've tried to get example dumps but no response so far. One may be able to generate them using a very recent Linux kernel, but I'd rather not do this myself, not being all that familiar with GUEv1 in particular.. |
|
Thank you for the update. It would make it easier to review further with the new code rebased on the current master branch. |
|
But of course, I was planning to do a merge but wanted to ask first how strongly you feel about the GUEv1 support. Merged now. Not all tests pass, but the failing ones are not GUE and are failing in the parent branch as well. :-( I'd squash this branch but I think Github can do that for you at merge time now? |
|
Some warnings here: https://travis-ci.org/the-tcpdump-group/tcpdump/jobs/165389888 |
|
Oops, yeah those didn't appear during my local build. :-/ Fixed and the current build at https://travis-ci.org/the-tcpdump-group/tcpdump/jobs/165633760 looks clean now. |
|
So is it okay to merge this one with just GUEv0, not v1? I've not been able to get dumps of GUEv1 traffic so far.. |
|
Could you rebase this on the current master branch? |
|
Sorry for the delay - I'll try to do this in a few days when I get back into the office. (Been out for a while.) |
|
Sure, take your time. |
|
You need to update |
|
Oh, thanks for the hint. I was still trying to update the range checking to use your ND_T(TEST|CHECK) macros as well but couldn't fully figure them out. :-( (CHECK vs TEST and also what to do for the check on length>=sizeof(struct ip)) |
|
@Wilm0r, if you wish to resume this work, please update this pull request within 14 days. Otherwise it will be closed. |
|
FYI, this is an expired Internet-Draft. |
|
Correct, there seem to be two versions now. I'll see whether I can get this PR back into decent shape, and how to deal with the versions/support both of them at all. Don't know which one's more common. I think the two protocols aren't really compatible nor are they detectable easily except maybe with heuristics. Would the usual tcpdump solution be to just name them separately, for example gue0 and gue1 ? |
Is it useful for an expired draft? |
Do you have specifications about these versions/variants? |
|
@Wilm0r, in case you don't have the motivation to follow the developments of this protocol design closely, it is OK not to implement it, and to get something else done instead. Often it is better not to have a particular protocol support at all than to have out of date code and the cost of its maintenance. |
|
Sorry for losing track of this again. I agree, I don't want to contribute code that is prone to rot. What I will try to do is figure out the status of GUEv0 vs v1 and see what is wise here. AFAIK (and I should add that at work I'm not actually that close to this project/development (anymore)) GUE is definitely used more widely including by some hardware so support would be useful, but I'll need to figure out which of the two versions. Feel free to close this PR if you've lost patience, I can reopen/open a new one if needed. I'll obviously need to deal with a pretty intense merge anyway. BTW, my main worry for this one is that GUE can be on ~any port#. (We use a privileged <1024 port instead of the IANA-reserved one ourselves.) When I wrote this patch, tcpdump didn't really support "use this port#" arguments for decoders (while Wireshark does have "reinterpret this stream as protocol X" for example), possibly this has changed? |
|
The traditional workaround to decode a protocol of interest on a non-standard UDP port would be along the lines of |
|
If in 14 days it is still not clear how to progress this matter in a constructive way, it will be better to close this request. |
|
For reference, a potential alternative way to apply dissectors to non-standard ports was discussed in #495. |
|
It is time. |
Hello,
Here's a patch adding support for GUE (Generic UDP Encapsulation) to tcpdump. The spec can be found at: https://tools.ietf.org/html/draft-ietf-nvo3-gue-02 (header format in 2.2).
This is fairly basic but will show dissection of inner IPv4/IPv6 packets assuming GUE is indeed configured on the officially allocated port 6080. Sadly this is not going to be a firm standard (for example one may want to use a privileged <1024 port instead for security reasons), so I wonder whether, for example, using getservbyname() instead of hardcoded port numbers would be acceptable? There's no prior art for this in your code yet from what I can tell which is why I haven't done this yet.
Kind regards,
Wilmer van der Gaast.