Tutorial: Spanning Tree Protocol (STP)
Contents
This tutorial discusses the plugin stpDecode. It prevents layer 2 switching loops and unstable mac tables by disabling redundant links per VLAN. The plugin includes, STP/802.1D, the Cisco implementation PVST+, RSTP(+). It is useful to have an aggregated look at at the conversion of all bridges, if you can monitor all the traffic.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$Then compile the following plugins
$ t2build tranalyzer2 basicFlow protoStats stpDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap here: rpvstp-trunk-native-vid1.pcap. Now you’re all set.
stpDecode
This plugin was originally developed for troubleshooting purposes and evolved in the last time a bit. Note that you need to choose the location of your tap wisely, and you need to program a monitor port, otherwise you do not see much.
Let’s look at the plugin configuration first:
$ stpDecode
$ vi src/stpDecode.h...
/* ========================================================================== */
/* User configuration flags */
/* ========================================================================== */
#define STP_RTPREXT 1 // 1: Priority Extension MAC, 0: BID hex
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Currently you can only choose between the presentation of the bridge ID. Sometimes it is easier for post-processing to print just the full 64 bit BID. Human readable is default, which we will keep for now.
Run t2 on the supplied pcap.
$ t2 -r ~/data/rpvstp-trunk-native-vid1.pcap -w ~/results/ -s================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 19001
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: protoStats, 0.8.14
02: basicFlow, 0.8.14
03: stpDecode, 0.8.14
04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/rpvstp-trunk-native-vid1.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1260959788.556919 sec (Wed 16 Dec 2009 10:36:28 GMT)
Dump stop : 1260959833.956173 sec (Wed 16 Dec 2009 10:37:13 GMT)
Total dump duration: 45.399254 sec
Finished processing. Elapsed time: 0.000832 sec
Finished unloading flow memory. Time: 0.000916 sec
Percentage completed: 100.00%
Number of processed packets: 81
Number of processed bytes: 5187 (5.19 K)
Number of raw bytes: 5187 (5.19 K)
Number of pad bytes: 168
Number of pcap bytes: 6507 (6.51 K)
Number of A packets: 81 [100.00%]
Number of A bytes: 5187 (5.19 K) [100.00%]
Average A packet load: 64.04
Average B packet load: 0.00
--------------------------------------------------------------------------------
stpDecode: Aggregated stpStat=0x01
stpDecode: Aggregated BPDU stpType=0x02
stpDecode: Aggregated BPDU stpFlags=0x3f
stpDecode: Number of STP packets: 72 [88.89%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.23
Max VLAN header count: 1
Number of LLC packets: 76 [93.83%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 6
Number of processed A flows: 6 [100.00%]
Number of request flows: 6 [100.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed packets/flows: 13.50
Number of processed A packets/flows: 13.50
Number of processed total packets/s: 1.78
Number of processed A+B packets/s: 1.78
Number of processed A packets/s: 1.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.13
Average full raw bandwidth: 914 b/s
Average full bandwidth : 0 b/s
Max number of flows in memory: 6 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0000000000000104
[INF] Layer 2 flows
[INF] VLAN encapsulation
$
$72 STP packets are detected and the aggregated stpStat currently has only one bit which states, there is STP.
$ tawk -V stpStat=0x01The stpStat column with value 0x01 is to be interpreted as follows:
bit | stpStat | Description
=============================================================================
0 | 0x01 | Flow is STPThe aggregated BPDU types are: (Note stpTypes is NOT LOG2 aggregated, as the Types code unique hex values)
tawk -V stpTypes=0x02The stpTypes column with value 0x02 is to be interpreted as follows:
bit | stpTypes | Description
=============================================================================
2 | 0x02 | Rapid/Multiple Spanning TreeThe states which the switches passed already are
tawk -V stpFlags=0x3fThe stpFlags column with value 0x3f is to be interpreted as follows:
bit | stpFlags | Description
=============================================================================
0 | 0x0001 | Topology Change
1 | 0x0002 | Proposal
2 | 0x0004 | Port RoleL
3 | 0x0008 | Port RoleH
4 | 0x0010 | Learning
5 | 0x0020 | ForwardingAll the status bits have their counter part in the flow and packet files.
In the pcap we have a variety of traffic we need for other tutorials. Here we are interested in version 2 PvSTP. We have 89% of all packets are of this type. If you have a look at the protocol file, you will see all protocols present in the pcap.
$ tcol rpvstp-trunk-native-vid1_protocols.txt# Total packets: 81
# Total bytes: 5187 (5.19 K)
# L2/3 Protocol Packets Bytes Description
0x010b 48 [ 59.26%] 3168 [ 61.08%] Per-VLAN Spanning Tree Protocol (PvSTP)
0x2003 1 [ 1.23%] 99 [ 1.91%] VLAN Trunk Protocol (VTP)
0x2004 3 [ 3.70%] 180 [ 3.47%] Dynamic Trunk Protocol (DTP)
0x4242 24 [ 29.63%] 1440 [ 27.76%] PCS Basic Block Protocol (STP/RSTP/MSTP)
0x9000 5 [ 6.17%] 300 [ 5.78%] Loopback
# Total IPv4 packets: 0 [0.00%]
# Total IPv6 packets: 0 [0.00%]
# L4 Protocol Packets Bytes Description
# Total TCP packets: 0 [0.00%]
# Total TCP bytes: 0 [0.00%]
# Total UDP packets: 0 [0.00%]
# Total UDP bytes: 0 [0.00%]
$Now let’s look at the flow file. The costs are 0, the Root and Bridge MAC are the same as the switch is the root bridge. The extensions represent the VLAN ID 1 and 5. Flow 4 is encapsulated in VLAN 5.
$ cd ~/results
$ tcol rpvstp-trunk-native-vid1_flows.txt%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpVer stpType stpFlags stpRtCst stpRtPrio stpRtExt stpRtMAC stpBrdgPrio stpBrdgExt stpBrdgMAC stpFrwrd
A 6 0x0000000000000004 1260959795.561468 1260959795.561468 0.000000 1 3 eth:llc:vtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2003 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 1 0x0000000000000004 1260959788.556919 1260959820.557060 32.000141 1 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 5 0x0000000000000004 1260959790.601692 1260959830.623618 40.021926 1 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0 0 00:00:00:00:00:00 0 0 00:00:00:00:00:00 0
A 2 0x0000000000000004 1260959790.560860 1260959833.956010 43.395150 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 15
A 3 0x0000000000000004 1260959790.560877 1260959833.956056 43.395179 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 15
A 4 0x0000000000000104 1260959790.560957 1260959833.956173 43.395216 1 4 eth:vlan:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 5 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 15The packet file shows more details per packet, so that you can track your switches as the change their state. Here we also decode the PVST info
$ tcol rpvstp-trunk-native-vid1_packets.txt%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpProto stpVer stpType stpFlags stpRtCst stpRtPrio stpRtExt stpRtMAC stpBrdgPrio stpBrdgEst stpBrdgMAC stpPort stpMsgAge stpMaxAge stpHello stpFrwrd stpPvstOrigVlan l7Content
1 1 0x0000000000000004 1260959788.556919 0.000000 0.000000 0.000000 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 ....\ncisco..............\n..m..........
2 1 0x0000000000000004 1260959789.563537 1.006618 0.000000 1.006618 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 ....\ncisco..............\n..m..........
3 2 0x0000000000000004 1260959790.560860 0.000000 0.000000 0.000000 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
4 3 0x0000000000000004 1260959790.560877 0.000000 0.000000 0.000000 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
5 4 0x0000000000000104 1260959790.560957 0.000000 0.000000 0.000000 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
6 5 0x0000000000000004 1260959790.601692 0.000000 0.000000 0.000000 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 ..............................................
7 2 0x0000000000000004 1260959791.557766 0.996906 0.000000 0.996906 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
8 3 0x0000000000000004 1260959791.557783 0.996906 0.000000 0.996906 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x0e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
9 4 0x0000000000000104 1260959791.557873 0.996916 0.000000 0.996916 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x0e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
...
30 2 0x0000000000000004 1260959805.650572 2.013267 0.000000 15.089712 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
31 3 0x0000000000000004 1260959805.650591 2.013269 0.000000 15.089714 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
32 4 0x0000000000000104 1260959805.650687 2.013257 0.000000 15.089730 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
33 2 0x0000000000000004 1260959807.663835 2.013263 0.000000 17.102976 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
34 3 0x0000000000000004 1260959807.663853 2.013262 0.000000 17.102976 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 .........m...........m.....................
35 4 0x0000000000000104 1260959807.663948 2.013261 0.000000 17.102991 4 eth:vlan:llc:stp 5 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 5 00:1f:6d:96:ec:00 32768 5 00:1f:6d:96:ec:00 0x8004 0 20 2 15 5 .........m...........m....................
36 2 0x0000000000000004 1260959809.677172 2.013337 0.000000 19.116312 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 0x01 0x0000 2 0x02 0x1e 0 32768 1 00:1f:6d:96:ec:00 32768 1 00:1f:6d:96:ec:00 0x8004 0 20 2 15 1 .........m...........m....................
...If you switch to the hex representation of the BID, you will see the BID as a 64-bit number.
$ t2conf stpDecode -D STP_RTPREXT=0 && t2build stpDecode
...
$ t2 -r ~/data/rpvstp-trunk-native-vid1.pcap -w ~/results/ -s
...
$ tcol rpvstp-trunk-native-vid1_flows.txt%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto stpStat stpVer stpType stpFlags stpRtCst stpRtBID stpBrdgBID stpFrwrd
A 6 0x0000000000000004 1260959795.561468 1260959795.561468 0.000000 1 3 eth:llc:vtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2003 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 1 0x0000000000000004 1260959788.556919 1260959820.557060 32.000141 1 3 eth:llc:dtp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cc 0x2004 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 5 0x0000000000000004 1260959790.601692 1260959830.623618 40.021926 1 2 eth:loop 00:1f:6d:96:ec:04 00:1f:6d:96:ec:04 0x9000 - - "-" 0 - - "-" 0 0 0x00 0 0x00 0x00 0 0x0000000000000000 0x0000000000000000 0
A 2 0x0000000000000004 1260959790.560860 1260959833.956010 43.395150 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8001001f6d96ec00 0x8001001f6d96ec00 15
A 3 0x0000000000000004 1260959790.560877 1260959833.956056 43.395179 1 3 eth:llc:stp 00:1f:6d:96:ec:04 01:80:c2:00:00:00 0x4242 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8001001f6d96ec00 0x8001001f6d96ec00 15
A 4 0x0000000000000104 1260959790.560957 1260959833.956173 43.395216 1 4 eth:vlan:llc:stp 00:1f:6d:96:ec:04 01:00:0c:cc:cc:cd 0x010b 5 - - "-" 0 - - "-" 0 0 0x01 2 0x02 0x3f 0 0x8005001f6d96ec00 0x8005001f6d96ec00 15Look also in the packet file yourself.
Don’t forget to reset the plugin configuration for the next tutorial.
$ t2conf stpDecode --reset && t2build stpDecode
...
$Have fun analyzing.