xdpcap support for IP-in-IP tunneled packets.

[tvsanthoshkumar]

Hi,

Summary: I am trying to use xdpcap to capture the packets which have IP-in-IP additional header. I couldn't capture the packets with xdpcap.

Issue:
The packets structure is as follows
eth header + ip-ip tunnel header + ip header + tcp/udp header + data

Setup:
Source machine -> Proxy server( where xdpcap runs) -> destination

I am doing some processing in proxy server and apply XDP_TX on the data. I want to trace this data.

Can you suggest how to capture the packets?

[arthurfabre]

xdpcap matches the "final" packet, so the filter needs to match IP in IP packets. Unfortunately, I'm not sure tcpdump / libpcap support this (full syntax is https://www.tcpdump.org/manpages/pcap-filter.7.html).

The simplest solution is not specify a filter, all packets will be captured.

If you want to use a filter, you can use the bpfoff tool in this repo. bpfoff takes a "normal" tcpdump filter, and applies it using a fixed offset. For example, assuming the inner IPv4 packet starts at byte 34 (14 for ethernet + 20 for outer IPv4), you could capture all packets to UDP port 53:

sudo xdpcap /bpffs/mymap out.pcap $(bpfoff 34 "ip and udp port 53")

If the offset of the inner IPv4 packet is variable, or you also want to capture non-encapsulated packets, you can specify several offsets. For example, to capture regular (offset 14 for ethernet) and encapsulated (34 as before) packets:

sudo xdpcap /bpffs/mymap out.pcap $(bpfoff 14,34 "ip and udp port 53")

We use this to capture our IP in UDP encapsulated packets. This isn't very well documented, let me know if you have any questions!

[tvsanthoshkumar]

Thanks @arthurfabre for quick reply. I will try this tool and get back to you with the updates.