Packetbeat 5.4.0 can't sniff tun device - raw ip datalink

Elastic Stack Beats
1

VPN softwares like OpenVPN create on linux "tun devices", a network device that represents the network tunnel and presents directly IP frames (without datalink) to the operative system.
Tun devices are preferred than TAP in all context you don't require / don't want to bridge the client network connection, it's a simple and default configuration.

If you want to analyse traffic of vpn users the suggested configuration is sniff directly from this interface and not from output interface (eg. ethernet) because you want to have metadata (eg. source ip) before NAT.

All libpcap according man pcap-linktype (eg. tcpdump) based solution support this configuration because the data link is detected as:
DLT_RAW; LINKTYPE_RAW=101 raw IP; the packet begins with an IP header.

This type seems not supported yet by packetbeat (5.4.0) because if you select a sniffer.config.Type "af_packet" the following code:
sniffer.go func (sniffer *SnifferSetup) Datalink() layers.LinkType { if sniffer.config.Type == "pcap" { return sniffer.pcapHandle.LinkType() } return layers.LinkTypeEthernet }
will silently select a LinkTypeEthernet dissector while in this case the datalink is not present; The software will start but isn't able to decode anything.

if you choose instead sniffer.config.Type "pcap" packetbeat will fail on startup because decoder.go doesn't handle properly gopacket/layers/enum.go:LinkTypeRaw / layers.LayerTypeRaw
decoder.go switch datalink { case layers.LinkTypeLinuxSLL: d.linkLayerDecoder = &d.sll d.linkLayerType = layers.LayerTypeLinuxSLL case layers.LinkTypeEthernet: d.linkLayerDecoder = &d.eth d.linkLayerType = layers.LayerTypeEthernet case layers.LinkTypeNull: // loopback on OSx d.linkLayerDecoder = &d.lo d.linkLayerType = layers.LayerTypeLoopback default: return nil, fmt.Errorf("Unsupported link type: %s", datalink.String()) }

Can you add support for tun / datatyperaw interfaces ?

2

Hi @Giacomo_Milani,

This is an interesting use case, I think it would make sense to open a feature request in github: https://github.com/elastic/beats/issues/new

BTW, what's your output running: packetbeat -devices

3

I'll open the feature request on github. packetbeat -devices crashes (sorry i forgot to mention that).

root@ XXXXXX # packetbeat.sh -devices
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7c6bc6]

goroutine 1 [running]:
panic(0xad3d00, 0xc420010080)
	/usr/local/go/src/runtime/panic.go:500 +0x1a1
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.sockaddr_to_IP(0x0, 0x0, 0x1, 0xc42119bec0, 0x0, 0x1)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:562 +0x26
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.findalladdresses(0x2d22770, 0x0, 0x0, 0x2)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:548 +0xb1
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.FindAllDevs(0xc42000e1c0, 0x4, 0x4, 0x0, 0x0)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:534 +0x297
github.com/elastic/beats/packetbeat/sniffer.ListDeviceNames(0xba0101, 0xc420045be8, 0x4d311b, 0xba20e0, 0x6, 0xc420072700)
	/go/src/github.com/elastic/beats/packetbeat/sniffer/sniffer.go:81 +0x52
github.com/elastic/beats/packetbeat/beater.init.1.func1(0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/packetbeat/beater/devices.go:21 +0x49
github.com/elastic/beats/libbeat/beat.FlagsHandlerCallback.HandleFlags(0xc421195cf0, 0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/flags.go:35 +0x30
github.com/elastic/beats/libbeat/beat.handleFlags(0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/flags.go:26 +0x60
github.com/elastic/beats/libbeat/beat.(*Beat).handleFlags(0xc42119e300, 0x2d, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:252 +0x324
github.com/elastic/beats/libbeat/beat.(*Beat).launch(0xc42119e300, 0xc1d980, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:158 +0x5b
github.com/elastic/beats/libbeat/beat.Run(0xbac06f, 0xa, 0x0, 0x0, 0xc1d980, 0xc420045f90, 0xc4200001a0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:141 +0x65
main.main()
	/go/src/github.com/elastic/beats/packetbeat/main.go:17 +0x57

root@XXXXXX:/etc/packetbeat# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 06:c4:6f:XX:XX:XX
          inet addr:10.10.2.XX  Bcast:10.10.2.191  Mask:255.255.255.192
          inet6 addr: fe80::4c4:6fff:fecb:XXXX/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:469955748 errors:0 dropped:0 overruns:0 frame:0
          TX packets:382726330 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:328336672660 (305.7 GiB)  TX bytes:350922021344 (326.8 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:280217344 errors:0 dropped:0 overruns:0 frame:0
          TX packets:280217344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:338568465017 (315.3 GiB)  TX bytes:338568465017 (315.3 GiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.21.1.1  P-t-P:172.21.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:33592728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53547887 errors:0 dropped:29756 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:11222536480 (10.4 GiB)  TX bytes:54688548072 (50.9 GiB)

root@ XXXXXX :/etc/packetbeat# packetbeat.sh --version
packetbeat version 5.4.0 (amd64), libbeat 5.4.0
root@ XXXXXX:/etc/packetbeat# uname -a
Linux XXXXXX 3.16.0-4-amd64 #1 SMP Debian XXXXXXXX  x86_64 GNU/Linux
4

Ok, I understand it's part of the same problem (most likely), could you please add these details too?

5

Done: https://github.com/elastic/beats/issues/4426

1 Like
6

thank you for reporting it!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.