Tutorial: Spanning Tree Protocol (STP)
layer 2 routing STPContents
Introduction
This tutorial discusses the plugin stpDecode. It prevents layer 2 switching loops and unstable mac tables by disabling redundant links per VLAN. The plugin includes, STP/802.1D, the Cisco implementation PVST+, RSTP(+). It is useful to have an aggregated look at at the conversion of all bridges, if you can monitor all the traffic.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow protoStats stpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: rpvstp-trunk-native-vid1.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing STP traffic!
stpDecode
This plugin was originally developed for troubleshooting purposes and evolved in the last time a bit. Note that you need to choose the location of your tap wisely, and you need to program a monitor port, otherwise you do not see much.
Let’s look at the plugin configuration first:
stpDecode
vi src/stpDecode.h
...
/* ========================================================================== */
/* User configuration flags */
/* ========================================================================== */
#define STP_RTPREXT 1 // 1: Priority Extension MAC, 0: BID hex
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Currently you can only choose between the presentation of the bridge ID. Sometimes it is easier for post-processing to print just the full 64 bit BID. Human readable is default, which we will keep for now.
Run t2 on the supplied pcap.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 19001 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: protoStats, 0.8.14 02: basicFlow, 0.8.14 03: stpDecode, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/rpvstp-trunk-native-vid1.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1260959788.556919 sec (Wed 16 Dec 2009 10:36:28 GMT) Dump stop : 1260959833.956173 sec (Wed 16 Dec 2009 10:37:13 GMT) Total dump duration: 45.399254 sec Finished processing. Elapsed time: 0.000832 sec Finished unloading flow memory. Time: 0.000916 sec Percentage completed: 100.00% Number of processed packets: 81 Number of processed bytes: 5187 (5.19 K) Number of raw bytes: 5187 (5.19 K) Number of pad bytes: 168 Number of pcap bytes: 6507 (6.51 K) Number of A packets: 81 [100.00%] Number of A bytes: 5187 (5.19 K) [100.00%] Average A packet load: 64.04 Average B packet load: 0.00 -------------------------------------------------------------------------------- stpDecode: Aggregated stpStat=0x01 stpDecode: Aggregated BPDU stpType=0x02 stpDecode: Aggregated BPDU stpFlags=0x3f stpDecode: Number of STP packets: 72 [88.89%] -------------------------------------------------------------------------------- Headers count: min: 2, max: 4, average: 3.23 Max VLAN header count: 1 Number of LLC packets: 76 [93.83%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 6 Number of processed A flows: 6 [100.00%] Number of request flows: 6 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 1.00 Number of processed packets/flows: 13.50 Number of processed A packets/flows: 13.50 Number of processed total packets/s: 1.78 Number of processed A+B packets/s: 1.78 Number of processed A packets/s: 1.78 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.13 Average full raw bandwidth: 914 b/s Average full bandwidth : 0 b/s Max number of flows in memory: 6 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0000000000000104 [INF] Layer 2 flows [INF] VLAN encapsulation
72 STP packets are detected and the aggregated stpStat currently has only one bit which states, there is STP.
The stpStat column with value 0x01 is to be interpreted as follows:
bit | stpStat | Description
=============================================================================
0 | 0x01 | Flow is STP
The aggregated BPDU types are (note that stpType is NOT LOG2 aggregated, as the Types code unique hex values):
The stpType column with value 0x02 is to be interpreted as follows:
bit | stpType | Description
=============================================================================
2 | 0x02 | Rapid/Multiple Spanning Tree
The states which the switches passed already are
tawk -V stpFlags=0x3f
The stpFlags column with value 0x3f is to be interpreted as follows:
bit | stpFlags | Description
=============================================================================
0 | 0x0001 | Topology Change
1 | 0x0002 | Proposal
2 | 0x0004 | Port RoleL
3 | 0x0008 | Port RoleH
4 | 0x0010 | Learning
5 | 0x0020 | Forwarding
All the status bits have their counter part in the flow and packet files.
In the pcap we have a variety of traffic we need for other tutorials. Here we are interested in version 2 PvSTP. We have 89% of all packets are of this type. If you have a look at the protocol file, you will see all protocols present in the pcap.
tcol ~/results/rpvstp-trunk-native-vid1_protocols.txt
# Total packets: 81
# Total bytes: 5187 (5.19 K)
# L2/3 Protocol Packets Bytes Description
0x010b 48 [ 59.26%] 3168 [ 61.08%] Per-VLAN Spanning Tree Protocol (PvSTP)
0x2003 1 [ 1.23%] 99 [ 1.91%] VLAN Trunk Protocol (VTP)
0x2004 3 [ 3.70%] 180 [ 3.47%] Dynamic Trunk Protocol (DTP)
0x4242 24 [ 29.63%] 1440 [ 27.76%] PCS Basic Block Protocol (STP/RSTP/MSTP)
0x9000 5 [ 6.17%] 300 [ 5.78%] Loopback
# Total IPv4 packets: 0 [0.00%]
# Total IPv6 packets: 0 [0.00%]
# L4 Protocol Packets Bytes Description
# Total TCP packets: 0 [0.00%]
# Total TCP bytes: 0 [0.00%]
# Total UDP packets: 0 [0.00%]
# Total UDP bytes: 0 [0.00%]Now let’s look at the flow file. The costs are 0, the Root and Bridge MAC are the same as the switch is the root bridge. The extensions represent the VLAN ID 1 and 5. Flow 4 is encapsulated in VLAN 5.
tcol ~/results/rpvstp-trunk-native-vid1_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpVer stpType stpFlags stpRtCst stpRtPrio stpRtExt stpRtMAC stpBrdgPrio stpBrdgExt stpBrdgMAC stpFrwrd
A 6 0x0000000000000004 1260959795.561468 1260959795.561468 0.000000 1 3 eth:llc:vtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2003 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 1 0x0000000000000004 1260959788.556919 1260959820.557060 32.000141 1 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 5 0x0000000000000004 1260959790.601692 1260959830.623618 40.021926 1 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 2 0x0000000000000004 1260959790.560860 1260959833.956010 43.395150 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 15
A 3 0x0000000000000004 1260959790.560877 1260959833.956056 43.395179 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 15
A 4 0x0000000000000104 1260959790.560957 1260959833.956173 43.395216 1 4 eth:vlan:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 5 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 15The packet file shows more details per packet, so that you can track your switches as the change their state. Here we also decode the PVST info:
tcol ~/results/rpvstp-trunk-native-vid1_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpProto stpVer stpType stpFlags stpRtCst stpRtPrio stpRtExt stpRtMAC stpBrdgPrio stpBrdgEst stpBrdgMAC stpPort stpMsgAge stpMaxAge stpHello stpFrwrd stpPvstOrigVlan l7Content
1 1 0x0000000000000004 1260959788.556919 0.000000 0.000000 0.000000 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 ....\ncisco..............\n..m..........
2 1 0x0000000000000004 1260959789.563537 1.006618 0.000000 1.006618 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 ....\ncisco..............\n..m..........
3 2 0x0000000000000004 1260959790.560860 0.000000 0.000000 0.000000 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
4 3 0x0000000000000004 1260959790.560877 0.000000 0.000000 0.000000 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
5 4 0x0000000000000104 1260959790.560957 0.000000 0.000000 0.000000 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
6 5 0x0000000000000004 1260959790.601692 0.000000 0.000000 0.000000 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 ..............................................
7 2 0x0000000000000004 1260959791.557766 0.996906 0.000000 0.996906 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
8 3 0x0000000000000004 1260959791.557783 0.996906 0.000000 0.996906 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
9 4 0x0000000000000104 1260959791.557873 0.996916 0.000000 0.996916 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
...
30 2 0x0000000000000004 1260959805.650572 2.013267 0.000000 15.089712 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
31 3 0x0000000000000004 1260959805.650591 2.013269 0.000000 15.089714 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
32 4 0x0000000000000104 1260959805.650687 2.013257 0.000000 15.089730 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
33 2 0x0000000000000004 1260959807.663835 2.013263 0.000000 17.102976 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
34 3 0x0000000000000004 1260959807.663853 2.013262 0.000000 17.102976 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
35 4 0x0000000000000104 1260959807.663948 2.013261 0.000000 17.102991 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
36 2 0x0000000000000004 1260959809.677172 2.013337 0.000000 19.116312 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
...If you switch to the hex representation of the BID, you will see the BID as a 64-bit number.
t2conf stpDecode -D STP_RTPREXT=0 && t2build stpDecode
t2 -r ~/data/rpvstp-trunk-native-vid1.pcap -w ~/results/ -s
tcol ~/results/rpvstp-trunk-native-vid1_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpVer stpType stpFlags stpRtCst stpRtBID stpBrdgBID stpFrwrd
A 6 0x0000000000000004 1260959795.561468 1260959795.561468 0.000000 1 3 eth:llc:vtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2003 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 1 0x0000000000000004 1260959788.556919 1260959820.557060 32.000141 1 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 5 0x0000000000000004 1260959790.601692 1260959830.623618 40.021926 1 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 2 0x0000000000000004 1260959790.560860 1260959833.956010 43.395150 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8001001f6d96ec00 0x8001001f6d96ec00 15
A 3 0x0000000000000004 1260959790.560877 1260959833.956056 43.395179 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8001001f6d96ec00 0x8001001f6d96ec00 15
A 4 0x0000000000000104 1260959790.560957 1260959833.956173 43.395216 1 4 eth:vlan:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 5 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8005001f6d96ec00 0x8005001f6d96ec00 15Look also in the packet file yourself.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf stpDecode --reset && t2build stpDecode
Have fun analyzing!