search

google / stenographer

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at stenographer@googlegroups.com
Apache License 2.0
1.79k stars 238 forks source link

VLAN tags #211

Open hosom opened 5 years ago

hosom commented 5 years ago

When Stenographer records traffic, it appears to strip the outermost VLAN tag. I don't know if I would consider this a bug, but I definitely wasn't expecting this. I am aware of several environments that use QinQ tagging to signal which taps traffic is coming from and it would be convenient to make this a configurable setting.

aeppert commented 5 years ago

When Stenographer records traffic, it appears to strip the outermost VLAN tag. I don't know if I would consider this a bug, but I definitely wasn't expecting this. I am aware of several environments that use QinQ tagging to signal which taps traffic is coming from and it would be convenient to make this a configurable setting.

I am assuming this is due to Stenographer using AF_PACKET. The VLAN tags are stripped at a lower layer and, unfortunately with my work on a few other things using AF_PACKET, it isn’t trivial to put them back together. It is possible, but with a decent performance impact as they have to be, per packet, re-applied. It is, perhaps, possible and may make sense to maintain a small state-store that could be built overtime and thus the performance penalties would smooth over the running time of stenographer.

capton586 commented 3 years ago

Is there any way to avoid this issue?

satta commented 3 years ago

Maybe it could help disabling the NIC's VLAN offloading so the VLAN tags make it into AF_PACKET?

sudo ethtool -K <interface> rxvlan off