VRRP: Virtual Router Redundancy Protocol
layer 3 routing VRRP
Contents
Introduction
This tutorial discusses the plugin vrrpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow vrrpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: vrrp.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing VRRP traffic!
vrrpDecode
Let’s look at the plugin configuration first:
vrrpDecode
vi src/vrrpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define VRRP_NUM_VRID 5 // number of unique virtual router ID to store
#define VRRP_NUM_IP 25 // number of unique IPs to store
#define VRRP_RT 1 // output routing tables
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define VRRP_SUFFIX "_vrrp.txt" // Suffix for output file (require VRRP_RT=1)
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file. We leave it at the default
value for this tutorial. Now run t2 on the vrrp.pcap.
t2 -r ../download/data/vrrp.pcap -w ~/results
See vrrpStat details below:
The vrrpStat column with value 0x0201 is to be interpreted as follows: bit | vrrpStat | Description ============================================================================= 0 | 0x0001 | Flow is VRRP 9 | 0x0200 | IP list truncated... increase VRRP_NUM_IP
tcol ~/results/vrrp_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto vrrpStat vrrpVer vrrpType vrrpVRIDCnt vrrpVRID vrrpMinPri vrrpMaxPri vrrpMinAdvInt vrrpMaxAdvInt vrrpAuthType vrrpAuth vrrpIPCnt vrrpIP
A 1 0x0400100000004000 1394056506.745865000 1394056529.078313000 22.332448000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 191 191 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 2 0x0800000000008000 1394056519.064377000 1394056539.071010000 20.006633000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0001 0x08 0x01 2 45;46 191 191 10 10 0x00 21 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d
A 3 0x0400100000004000 1394056534.773565000 1394056557.042694000 22.269129000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.92 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 192 192 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 4 0x0800000000008000 1394056547.047012000 1394056567.047062000 20.000050000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2e;00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe72:b1da 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0001 0x08 0x01 2 46;45 192 192 10 10 0x00 21 fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a
A 5 0x0400100000004000 1394056564.643506000 1394056596.859795000 32.216289000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.93 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 193 193 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 6 0x0800000000008000 1394056576.860142000 1394056606.860627000 30.000485000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2e;00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf65 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 46;45 193 193 10 10 0x00 25 fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c
A 7 0x0400100000004000 1394056601.365005000 1394056643.563280000 42.198275000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.94 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 194 194 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 8 0x0800000000008000 1394056613.568732000 1394056653.588127000 40.019395000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe65:d45c 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 194 194 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 9 0x0400100000004000 1394056650.198637000 1394056682.367084000 32.168447000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.95 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 195 195 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 10 0x0800000000008000 1394056662.367760000 1394056692.374697000 30.006937000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe65:d46b 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 195 195 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 11 0x0400100000004000 1394056684.461974000 1394056726.596106000 42.134132000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.96 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 196 196 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 12 0x0800000000008000 1394056696.590792000 1394056736.604316000 40.013524000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe72:b1e4 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 196 196 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 14 0x0800000000008000 1394056742.020356000 1394056812.033752000 70.013396000 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::20c:42ff:fe5e:c2dc 02 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 197 197 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 13 0x0400100000004000 1394056729.932515000 1394056820.011328000 90.078813000 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.97 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 197 197 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200tcol ~/results/vrrp_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto l7Content
1 1 0x0400000000004000 1394056506.745865000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
2 1 0x0400000000004000 1394056506.749784000 0.003919000 0.000000000 0.003919000 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
3 1 0x0400100000004000 1394056509.074730000 2.324946000 0.000000000 2.328865000 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
4 1 0x0400100000004000 1394056516.753372000 7.678642000 0.000000000 10.007507000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
5 1 0x0400100000004000 1394056516.753436000 0.000064000 0.000000000 10.007571000 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
6 2 0x0800000000008000 1394056519.064377000 0.000000000 0.000000000 0.000000000 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
7 2 0x0800000000008000 1394056519.064509000 0.000132000 0.000000000 0.000132000 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ..............\f ..............\r
8 1 0x0400100000004000 1394056519.074681000 2.321245000 0.000000000 12.328816000 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
9 1 0x0400100000004000 1394056526.751857000 7.677176000 0.000000000 20.005992000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
10 1 0x0400100000004000 1394056526.751923000 0.000066000 0.000000000 20.006058000 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
11 2 0x0800000000008000 1394056529.068063000 10.003554000 0.000000000 10.003686000 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ..............\f ..............\r
12 2 0x0800000000008000 1394056529.068132000 0.000069000 0.000000000 10.003755000 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
13 1 0x0400100000004000 1394056529.078313000 2.326390000 0.000000000 22.332448000 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
14 3 0x0400000000004000 1394056534.773565000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
15 3 0x0400000000004000 1394056534.783698000 0.010133000 0.000000000 0.010133000 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
16 3 0x0400100000004000 1394056537.044216000 2.260518000 0.000000000 2.270651000 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
17 2 0x0800000000008000 1394056539.070934000 10.002802000 0.000000000 20.006557000 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
18 2 0x0800000000008000 1394056539.071010000 0.000076000 0.000000000 20.006633000 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 02 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ..............\f ..............\r
19 3 0x0400100000004000 1394056544.778957000 7.734741000 0.000000000 10.005392000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
...Conclusion
If you changed the plugin’s configuration, don’t forget to reset the plugin configuration for the next tutorial.
t2conf vrrpDecode --reset && t2build vrrpDecode
Have fun analyzing!