Bug 1464390

Summary: RFE: AF_VSOCK support in tcpdump
Product: Red Hat Enterprise Linux 7 Reporter: Stefan Hajnoczi <stefanha>
Component: tcpdumpAssignee: Michal Ruprich <mruprich>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: medium Docs Contact: Jiri Herrmann <jherrman>
Priority: medium    
Version: 7.5CC: areis, chayang, dschoenb, jherrman, juzhang, kdreyer, ksrot, lmiksik, michen, mruprich, msehnout, msekleta, mtessun, mzeleny, pasik, stefanha, thozza, virt-bugs, xfu
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tcpdump-4.9.0-6.el7 Doc Type: Release Note
Doc Text:
*tcpdump* can now analyze *virtio* traffic The *tcpdump* utility now supports the *virtio-vsock* communication device. This makes it possible for *tcpdump* to filter and analyze virtio communication between a hypervisor and a guest virtual machine.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 07:06:22 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1464362, 1470219    
Bug Blocks: 1363787, 1465928    
Attachments:
Description Flags
pcap file for testing none

Description Stefan Hajnoczi 2017-06-23 06:19:43 EDT
KVM is adding AF_VSOCK support for host<->guest communication.  See related bz#1464362 for the libpcap prerequisite.

The AF_VSOCK address family offers SOCK_STREAM semantics similar to TCP.  It does not use Ethernet/IP/TCP.  For details see:
http://wiki.qemu.org/Features/VirtioVsock

I am working upstream to add AF_VSOCK packet capture to tcpdump so that users can troubleshoot and analyze guest<->host traffic.  The AF_VSOCK packet capture format is described here:
http://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html

Once the feature lands upstream it will be possible to backport it to RHEL.
Comment 3 Stefan Hajnoczi 2017-07-12 10:14:04 EDT
Patches posted upstream:
https://github.com/the-tcpdump-group/tcpdump/pull/612
Comment 13 Martin Sehnoutka 2017-08-16 05:56:29 EDT
Hello,

could you please attach a testing pcap file?
Comment 15 Stefan Hajnoczi 2017-08-17 12:03 EDT
Created attachment 1314768 [details]
pcap file for testing

I have attached a pcapng file.  The expected output is:

  $ tcpdump -r wireshark_vsockmon0_20170713133043_VheF4m.pcapng
  13:31:11.261679 VIRTIO 3.1024 > 2.1234 CONNECT, length 76
  13:31:11.261740 VIRTIO 2.1234 > 3.1024 CONNECT, length 76
  13:31:12.552718 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
  13:31:12.552854 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
  13:31:13.817848 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
  13:31:13.817897 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
  13:31:16.939624 VIRTIO 2.1234 > 3.1024 PAYLOAD, length 83
  13:31:16.947538 VIRTIO 3.1024 > 2.1234 CONTROL, length 76
  13:31:17.368933 VIRTIO 2.1234 > 3.1024 DISCONNECT, length 76
  13:31:17.377004 VIRTIO 3.1024 > 2.1234 DISCONNECT, length 76
Comment 16 Martin Sehnoutka 2017-08-23 09:04:10 EDT
Thanks, it works now.
Comment 21 Stefan Hajnoczi 2017-10-02 11:07:50 EDT
Hi Michal,
tcpdump-4.9.0-6 doesn't work for me.  I get the same error you reported.

Martin: Was tcpdump-4.9.0-6 built against a libpcap-devel package that defines DLT_VSOCK?

++++ b/print.c
+@@ -220,6 +220,9 @@ static const struct printer printers[] = {
+ #ifdef DLT_PPP_SERIAL
+ 	{ ppp_hdlc_if_print,	DLT_PPP_SERIAL },
+ #endif
++#ifdef DLT_VSOCK
++	{ vsock_print,		DLT_VSOCK },
++#endif

Also, please note that the vsock code has not been merged into tcpdump.git upstream yet.  I have pinged the maintainers to review/merge it.
Comment 32 Michal Ruprich 2017-12-12 07:27:34 EST
Hi Jiri,

yes this looks good.

Thanks.
Comment 33 FuXiangChun 2017-12-19 23:34:26 EST
Kvm QE tried to test this bug with the fixed tcpdump version tcpdump-4.9.2-3.el7.x86. This is test result[1], It maybe be helpful.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1464362#c21
Comment 34 Martin Zelený 2018-01-05 08:05:10 EST
Successfully verified by Case Runs #16499806 (rhel-7) and #16499841 (rhel-alt-7) of TC#561269 - /CoreOS/tcpdump/Sanity/AF_VSOCK-support

:: [   LOG    ] :: Test reading pcap-ng file with tcpdump
:: [  BEGIN   ] :: VSOCK should be supported :: actually running 'tcpdump -r vsock.pcapng'
13:31:11.261679 VIRTIO 3.1024 > 2.1234 CONNECT, length 76
13:31:11.261740 VIRTIO 2.1234 > 3.1024 CONNECT, length 76
13:31:12.552718 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
13:31:12.552854 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
13:31:13.817848 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
13:31:13.817897 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
13:31:16.939624 VIRTIO 2.1234 > 3.1024 PAYLOAD, length 83
13:31:16.947538 VIRTIO 3.1024 > 2.1234 CONTROL, length 76
13:31:17.368933 VIRTIO 2.1234 > 3.1024 DISCONNECT, length 76
13:31:17.377004 VIRTIO 3.1024 > 2.1234 DISCONNECT, length 76
reading from file vsock.pcapng, link-type VSOCK (Linux vsock)
:: [   PASS   ] :: VSOCK should be supported (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.SclaGPOw' should contain 'VIRTIO'
Comment 37 errata-xmlrpc 2018-04-10 07:06:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0705