Tutorial: Virtual Router Redundancy Protocol (VRRP)
layer 3 routing VRRPContents
Introduction
This tutorial discusses the plugin vrrpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow vrrpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: vrrp.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing VRRP traffic!
vrrpDecode
Let’s look at the plugin configuration first:
vrrpDecode
vi src/vrrpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define VRRP_NUM_VRID 5 // number of unique virtual router ID to store
#define VRRP_NUM_IP 25 // number of unique IPs to store
#define VRRP_RT 1 // output routing tables
#if VRRP_RT == 1
#define VRRP_SUFFIX "_vrrp.txt" // Suffix for output file
#endif // VRRP_RT == 1
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file. We leave it at the default value for this tutorial. Now run t2 on the vrrp.pcap.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 89006 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: vrrpDecode, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/vrrp.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1394056506.745865 sec (Wed 05 Mar 2014 21:55:06 GMT) Dump stop : 1394056820.011328 sec (Wed 05 Mar 2014 22:00:20 GMT) Total dump duration: 313.265463 sec (5m 13s) Finished processing. Elapsed time: 0.002318 sec Finished unloading flow memory. Time: 0.002466 sec Percentage completed: 100.00% Number of processed packets: 165 Number of processed bytes: 13680 (13.68 K) Number of raw bytes: 13680 (13.68 K) Number of pad bytes: 534 Number of pcap bytes: 16344 (16.34 K) Number of IPv4 packets: 101 [61.21%] Number of IPv6 packets: 64 [38.79%] Number of A packets: 165 [100.00%] Number of A bytes: 13680 (13.68 K) [100.00%] Average A packet load: 82.91 Average B packet load: 0.00 -------------------------------------------------------------------------------- vrrpDecode: Aggregated vrrpStat=0x0201 vrrpDecode: Number of VRRPv2 packets: 68 [41.21%] vrrpDecode: Number of VRRPv3 packets: 97 [58.79%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 14 Number of processed A flows: 14 [100.00%] Number of request flows: 14 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 1.00 Number of processed packets/flows: 11.79 Number of processed A packets/flows: 11.79 Number of processed total packets/s: 0.53 Number of processed A+B packets/s: 0.53 Number of processed A packets/s: 0.53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.04 Average full raw bandwidth: 349 b/s Average full bandwidth : 336 b/s Max number of flows in memory: 12 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0c0010000000c000 [WRN] Consecutive duplicate IP ID [INF] IPv4 flows [INF] IPv6 flows
See vrrpStat details below:
The vrrpStat column with value 0x0201 is to be interpreted as follows: bit | vrrpStat | Description ============================================================================= 0 | 0x0001 | Flow is VRRP 9 | 0x0200 | IP list truncated... increase VRRP_NUM_IP
tcol ~/results/vrrp_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto vrrpStat vrrpVer vrrpType vrrpVRIDCnt vrrpVRID vrrpMinPri vrrpMaxPri vrrpMinAdvInt vrrpMaxAdvInt vrrpAuthType vrrpAuth vrrpIPCnt vrrpIP
A 1 0x0400100000004000 1394056506.745865 1394056529.078313 22.332448 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 191 191 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 2 0x0800000000008000 1394056519.064377 1394056539.071010 20.006633 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0001 0x08 0x01 2 45;46 191 191 10 10 0x00 21 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d
A 3 0x0400100000004000 1394056534.773565 1394056557.042694 22.269129 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.92 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 192 192 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 4 0x0800000000008000 1394056547.047012 1394056567.047062 20.000050 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2e;00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe72:b1da 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0001 0x08 0x01 2 46;45 192 192 10 10 0x00 21 fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a
A 5 0x0400100000004000 1394056564.643506 1394056596.859795 32.216289 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.93 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 193 193 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 6 0x0800000000008000 1394056576.860142 1394056606.860627 30.000485 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2e;00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf65 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 46;45 193 193 10 10 0x00 25 fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c
A 7 0x0400100000004000 1394056601.365005 1394056643.563280 42.198275 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.94 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 194 194 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 8 0x0800000000008000 1394056613.568732 1394056653.588127 40.019395 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe65:d45c 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 194 194 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 9 0x0400100000004000 1394056650.198637 1394056682.367084 32.168447 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.95 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 195 195 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 10 0x0800000000008000 1394056662.367760 1394056692.374697 30.006937 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe65:d46b 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 195 195 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 11 0x0400100000004000 1394056684.461974 1394056726.596106 42.134132 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.96 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 196 196 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200
A 12 0x0800000000008000 1394056696.590792 1394056736.604316 40.013524 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe72:b1e4 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 196 196 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 14 0x0800000000008000 1394056742.020356 1394056812.033752 70.013396 1 3 eth:ipv6:vrrp 00:00:5e:00:02:2d;00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::20c:42ff:fe5e:c2dc 04 "Link-local" 0 ff02::12 10 "VRRP" 0 112 0x0201 0x08 0x01 2 45;46 197 197 10 10 0x00 25 fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a;2001::eeff:b;2001::eeff:c;2001::eeff:d;fe80::200:5eff:fe00:22d;2001::abcd:a;fe80::200:5eff:fe00:22e;2001::eeff:a
A 13 0x0400100000004000 1394056729.932515 1394056820.011328 90.078813 1 3 eth:ipv4:vrrp 00:00:5e:00:01:2a;00:00:5e:00:01:2b;00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.97 04 "Private network" 0 224.0.0.18 10 "VRRP" 0 112 0x0001 0x0c 0x01 3 42;43;44 197 197 10 10 0x03 abcdefgh 6 10.4.42.1;10.4.42.2;10.4.42.3;10.4.43.150;10.4.44.100;10.4.44.200tcol ~/results/vrrp_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto l7Content
1 1 0x0400000000004000 1394056506.745865 0.000000 0.000000 0.000000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
2 1 0x0400000000004000 1394056506.749784 0.003919 0.000000 0.003919 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
3 1 0x0400100000004000 1394056509.074730 2.324946 0.000000 2.328865 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
4 1 0x0400100000004000 1394056516.753372 7.678642 0.000000 10.007507 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
5 1 0x0400100000004000 1394056516.753436 0.000064 0.000000 10.007571 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
6 2 0x0800000000008000 1394056519.064377 0.000000 0.000000 0.000000 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
7 2 0x0800000000008000 1394056519.064509 0.000132 0.000000 0.000132 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ............... ..............\r
8 1 0x0400100000004000 1394056519.074681 2.321245 0.000000 12.328816 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
9 1 0x0400100000004000 1394056526.751857 7.677176 0.000000 20.005993 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
10 1 0x0400100000004000 1394056526.751923 0.000066 0.000000 20.006058 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
11 2 0x0800000000008000 1394056529.068063 10.003554 0.000000 10.003686 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ............... ..............\r
12 2 0x0800000000008000 1394056529.068132 0.000069 0.000000 10.003755 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
13 1 0x0400100000004000 1394056529.078313 2.326390 0.000000 22.332447 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.91 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
14 3 0x0400000000004000 1394056534.773565 0.000000 0.000000 0.000000 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
15 3 0x0400000000004000 1394056534.783698 0.010133 0.000000 0.010133 3 eth:ipv4:vrrp 00:00:5e:00:01:2b 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.+.........
16 3 0x0400100000004000 1394056537.044216 2.260518 0.000000 2.270651 3 eth:ipv4:vrrp 00:00:5e:00:01:2c 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.,d\n.,.
17 2 0x0800000000008000 1394056539.070934 10.002802 0.000000 20.006557 3 eth:ipv6:vrrp 00:00:5e:00:02:2d 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^....- ..............\n
18 2 0x0800000000008000 1394056539.071010 0.000076 0.000000 20.006634 3 eth:ipv6:vrrp 00:00:5e:00:02:2e 33:33:00:00:00:12 0x86dd fe80::d6ca:6dff:fe66:cf60 04 Link-local ff02::12 10 VRRP 112 ..........^..... ..............\n ............... ............... ..............\r
19 3 0x0400100000004000 1394056544.778957 7.734741 0.000000 10.005392 3 eth:ipv4:vrrp 00:00:5e:00:01:2a 01:00:5e:00:00:12 0x0800 10.0.0.92 04 Private network 224.0.0.18 10 VRRP 112 \n.*.\n.*.\n.*.abcdefgh
...Conclusion
If you changed the plugin’s configuration, don’t forget to reset the plugin configuration for the next tutorial.
t2conf vrrpDecode --reset && t2build vrrpDecode
Have fun analyzing!