Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1464390 - RFE: AF_VSOCK support in tcpdump
RFE: AF_VSOCK support in tcpdump
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tcpdump (Show other bugs)
7.5
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Michal Ruprich
Martin Zelený
Jiri Herrmann
: FutureFeature
Depends On: 1464362 1470219
Blocks: 1363787 1465928
  Show dependency treegraph
 
Reported: 2017-06-23 06:19 EDT by Stefan Hajnoczi
Modified: 2018-04-10 07:06 EDT (History)
19 users (show)

See Also:
Fixed In Version: tcpdump-4.9.0-6.el7
Doc Type: Release Note
Doc Text:
*tcpdump* can now analyze *virtio* traffic The *tcpdump* utility now supports the *virtio-vsock* communication device. This makes it possible for *tcpdump* to filter and analyze virtio communication between a hypervisor and a guest virtual machine.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 07:06:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pcap file for testing (1.42 KB, application/octet-stream)
2017-08-17 12:03 EDT, Stefan Hajnoczi
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0705 None None None 2018-04-10 07:06 EDT

  None (edit)
Description Stefan Hajnoczi 2017-06-23 06:19:43 EDT
KVM is adding AF_VSOCK support for host<->guest communication.  See related bz#1464362 for the libpcap prerequisite.

The AF_VSOCK address family offers SOCK_STREAM semantics similar to TCP.  It does not use Ethernet/IP/TCP.  For details see:
http://wiki.qemu.org/Features/VirtioVsock

I am working upstream to add AF_VSOCK packet capture to tcpdump so that users can troubleshoot and analyze guest<->host traffic.  The AF_VSOCK packet capture format is described here:
http://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html

Once the feature lands upstream it will be possible to backport it to RHEL.
Comment 3 Stefan Hajnoczi 2017-07-12 10:14:04 EDT
Patches posted upstream:
https://github.com/the-tcpdump-group/tcpdump/pull/612
Comment 13 Martin Sehnoutka 2017-08-16 05:56:29 EDT
Hello,

could you please attach a testing pcap file?
Comment 15 Stefan Hajnoczi 2017-08-17 12:03 EDT
Created attachment 1314768 [details]
pcap file for testing

I have attached a pcapng file.  The expected output is:

  $ tcpdump -r wireshark_vsockmon0_20170713133043_VheF4m.pcapng
  13:31:11.261679 VIRTIO 3.1024 > 2.1234 CONNECT, length 76
  13:31:11.261740 VIRTIO 2.1234 > 3.1024 CONNECT, length 76
  13:31:12.552718 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
  13:31:12.552854 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
  13:31:13.817848 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
  13:31:13.817897 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
  13:31:16.939624 VIRTIO 2.1234 > 3.1024 PAYLOAD, length 83
  13:31:16.947538 VIRTIO 3.1024 > 2.1234 CONTROL, length 76
  13:31:17.368933 VIRTIO 2.1234 > 3.1024 DISCONNECT, length 76
  13:31:17.377004 VIRTIO 3.1024 > 2.1234 DISCONNECT, length 76
Comment 16 Martin Sehnoutka 2017-08-23 09:04:10 EDT
Thanks, it works now.
Comment 21 Stefan Hajnoczi 2017-10-02 11:07:50 EDT
Hi Michal,
tcpdump-4.9.0-6 doesn't work for me.  I get the same error you reported.

Martin: Was tcpdump-4.9.0-6 built against a libpcap-devel package that defines DLT_VSOCK?

++++ b/print.c
+@@ -220,6 +220,9 @@ static const struct printer printers[] = {
+ #ifdef DLT_PPP_SERIAL
+ 	{ ppp_hdlc_if_print,	DLT_PPP_SERIAL },
+ #endif
++#ifdef DLT_VSOCK
++	{ vsock_print,		DLT_VSOCK },
++#endif

Also, please note that the vsock code has not been merged into tcpdump.git upstream yet.  I have pinged the maintainers to review/merge it.
Comment 32 Michal Ruprich 2017-12-12 07:27:34 EST
Hi Jiri,

yes this looks good.

Thanks.
Comment 33 FuXiangChun 2017-12-19 23:34:26 EST
Kvm QE tried to test this bug with the fixed tcpdump version tcpdump-4.9.2-3.el7.x86. This is test result[1], It maybe be helpful.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1464362#c21
Comment 34 Martin Zelený 2018-01-05 08:05:10 EST
Successfully verified by Case Runs #16499806 (rhel-7) and #16499841 (rhel-alt-7) of TC#561269 - /CoreOS/tcpdump/Sanity/AF_VSOCK-support

:: [   LOG    ] :: Test reading pcap-ng file with tcpdump
:: [  BEGIN   ] :: VSOCK should be supported :: actually running 'tcpdump -r vsock.pcapng'
13:31:11.261679 VIRTIO 3.1024 > 2.1234 CONNECT, length 76
13:31:11.261740 VIRTIO 2.1234 > 3.1024 CONNECT, length 76
13:31:12.552718 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
13:31:12.552854 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
13:31:13.817848 VIRTIO 3.1024 > 2.1234 PAYLOAD, length 82
13:31:13.817897 VIRTIO 2.1234 > 3.1024 CONTROL, length 76
13:31:16.939624 VIRTIO 2.1234 > 3.1024 PAYLOAD, length 83
13:31:16.947538 VIRTIO 3.1024 > 2.1234 CONTROL, length 76
13:31:17.368933 VIRTIO 2.1234 > 3.1024 DISCONNECT, length 76
13:31:17.377004 VIRTIO 3.1024 > 2.1234 DISCONNECT, length 76
reading from file vsock.pcapng, link-type VSOCK (Linux vsock)
:: [   PASS   ] :: VSOCK should be supported (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.SclaGPOw' should contain 'VIRTIO'
Comment 37 errata-xmlrpc 2018-04-10 07:06:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0705

Note You need to log in before you can comment on or make changes to this bug.