Bug 1464395 - RFE: AF_VSOCK support in Wireshark
Summary: RFE: AF_VSOCK support in Wireshark
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: wireshark
Version: 7.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: Karel Volný
URL:
Whiteboard:
Keywords: FutureFeature, Patch
Depends On: 1290760 1464362 1470219
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-23 10:45 UTC by Stefan Hajnoczi
Modified: 2018-10-30 09:36 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-10-30 09:35:53 UTC


Attachments (Terms of Use)
Example AF_VSOCK packet capture file (1.42 KB, application/octet-stream)
2017-07-17 14:55 UTC, Stefan Hajnoczi
no flags Details
Packet capture taken using tshark (1.16 KB, application/octet-stream)
2018-06-20 16:14 UTC, Stefan Hajnoczi
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3089 None None None 2018-10-30 09:36 UTC

Description Stefan Hajnoczi 2017-06-23 10:45:14 UTC
KVM is adding AF_VSOCK support for host<->guest communication.  See related bz#1464362 for the libpcap prerequisite.

The AF_VSOCK address family offers SOCK_STREAM semantics similar to TCP.  It does not use Ethernet/IP/TCP.  For details see:
http://wiki.qemu.org/Features/VirtioVsock

I am working to add AF_VSOCK packet capture to Wireshark so that users can troubleshoot and analyze guest<->host traffic.  The AF_VSOCK packet capture format is described here:
http://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html

Once the feature lands upstream it will be possible to backport it to RHEL.

Comment 3 Stefan Hajnoczi 2017-07-17 14:51:12 UTC
The following patches are required from upstream:

$ git log --oneline epan/dissectors/packet-vsock.c
73d9550 vsock: add missing vsockmon header reserved field
41415aa vsock: add WTAP_ENCAP_VSOCK constant
e2f36ef vsock: Fix Dead Store (Dead assignement/Dead increment) Warning found by Clang
55069da Add vSocket dissector

Comment 4 Stefan Hajnoczi 2017-07-17 14:55 UTC
Created attachment 1299894 [details]
Example AF_VSOCK packet capture file

I have attached an example AF_VSOCK packet capture file.  Use this to test the Wireshark dissector.

Upon opening the file in Wireshark you should see the following Op: RW frames (among other frames):

No 3, 3->host, Payload: Hello\n
No 5, 3->host, Payload: World\n
No 7, host->3, Payload: Hi :-)\n

Comment 18 Stefan Hajnoczi 2018-06-20 16:14 UTC
Created attachment 1453246 [details]
Packet capture taken using tshark

Comment 19 Stefan Hajnoczi 2018-06-20 16:14:55 UTC
(In reply to Michal Ruprich from comment #17)
> (In reply to Stefan Hajnoczi from comment #3)
> > The following patches are required from upstream:
> > 
> > $ git log --oneline epan/dissectors/packet-vsock.c
> > 73d9550 vsock: add missing vsockmon header reserved field
> > 41415aa vsock: add WTAP_ENCAP_VSOCK constant
> > e2f36ef vsock: Fix Dead Store (Dead assignement/Dead increment) Warning
> > found by Clang
> > 55069da Add vSocket dissector
> 
> I created a patch from these commits but it needed some more work, because a
> lot of functions are either missing or are a bit different. 
> 
> Stefan, the output of tshark now looks good but I am concerned with
> capturing. Do you have the means to use this older package and try to
> capture some vsock communication with it? Then try to print it out?
> 
> Here is a scratch build:
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16766863

Tested-by: Stefan Hajnoczi <stefanha@redhat.com>

I ran it inside a RHEL 7.5 guest:

  # ip link add vsockmon0 type vsockmon
  # ip link set vsockmon0 up
  # tshark -w /tmp/vsock.pcapng -i vsockmon0

I've attached the pcap file.  It contains a single SOCK_STREAM connection where "Hello" and "world" were sent between the server and client.

tshark printed the conversation correctly:

  1 0.000000000            3 -> host         vSocket 76 [Connect] Virtio: Stream, Op: Request, Buf alloc: 262144, Fwd cnt: 0
  2 0.000107936         host -> 3            vSocket 76 [Connect] Virtio: Stream, Op: Response, Buf alloc: 262144, Fwd cnt: 0
  3 2.799236146            3 -> host         vSocket 82 [Payload] Virtio: Stream, Op: RW, Buf alloc: 262144, Fwd cnt: 0
  4 2.799666678         host -> 3            vSocket 76 [Control] Virtio: Stream, Op: Credit update, Buf alloc: 262144, Fwd cnt: 6
  5 4.949114581         host -> 3            vSocket 82 [Payload] Virtio: Stream, Op: RW, Buf alloc: 262144, Fwd cnt: 6
  6 4.949296138            3 -> host         vSocket 76 [Control] Virtio: Stream, Op: Credit update, Buf alloc: 262144, Fwd cnt: 6
  7 9.149629676            3 -> host         vSocket 76 [Disconnect] Virtio: Stream, Op: Shutdown, Buf alloc: 262144, Fwd cnt: 6
  8 9.149849352         host -> 3            vSocket 76 [Disconnect] Virtio: Stream, Op: Rst, Buf alloc: 262144, Fwd cnt: 6

Comment 27 errata-xmlrpc 2018-10-30 09:35:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3089


Note You need to log in before you can comment on or make changes to this bug.