Packetbeat 5.4.0 can't sniff tun device - raw ip datalink

Giacomo_Milani · May 31, 2017, 9:54am

VPN softwares like OpenVPN create on linux "tun devices", a network device that represents the network tunnel and presents directly IP frames (without datalink) to the operative system.
Tun devices are preferred than TAP in all context you don't require / don't want to bridge the client network connection, it's a simple and default configuration.

If you want to analyse traffic of vpn users the suggested configuration is sniff directly from this interface and not from output interface (eg. ethernet) because you want to have metadata (eg. source ip) before NAT.

All libpcap according man pcap-linktype (eg. tcpdump) based solution support this configuration because the data link is detected as:
DLT_RAW; LINKTYPE_RAW=101 raw IP; the packet begins with an IP header.

This type seems not supported yet by packetbeat (5.4.0) because if you select a sniffer.config.Type "af_packet" the following code:
sniffer.go func (sniffer *SnifferSetup) Datalink() layers.LinkType { if sniffer.config.Type == "pcap" { return sniffer.pcapHandle.LinkType() } return layers.LinkTypeEthernet }
will silently select a LinkTypeEthernet dissector while in this case the datalink is not present; The software will start but isn't able to decode anything.

if you choose instead sniffer.config.Type "pcap" packetbeat will fail on startup because decoder.go doesn't handle properly gopacket/layers/enum.go:LinkTypeRaw / layers.LayerTypeRaw
decoder.go switch datalink { case layers.LinkTypeLinuxSLL: d.linkLayerDecoder = &d.sll d.linkLayerType = layers.LayerTypeLinuxSLL case layers.LinkTypeEthernet: d.linkLayerDecoder = &d.eth d.linkLayerType = layers.LayerTypeEthernet case layers.LinkTypeNull: // loopback on OSx d.linkLayerDecoder = &d.lo d.linkLayerType = layers.LayerTypeLoopback default: return nil, fmt.Errorf("Unsupported link type: %s", datalink.String()) }

Can you add support for tun / datatyperaw interfaces ?

exekias · May 31, 2017, 9:58am

Hi @Giacomo_Milani,

This is an interesting use case, I think it would make sense to open a feature request in github: https://github.com/elastic/beats/issues/new

BTW, what's your output running: packetbeat -devices

Giacomo_Milani · May 31, 2017, 10:56am

I'll open the feature request on github. packetbeat -devices crashes (sorry i forgot to mention that).

root@ XXXXXX # packetbeat.sh -devices
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7c6bc6]

goroutine 1 [running]:
panic(0xad3d00, 0xc420010080)
	/usr/local/go/src/runtime/panic.go:500 +0x1a1
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.sockaddr_to_IP(0x0, 0x0, 0x1, 0xc42119bec0, 0x0, 0x1)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:562 +0x26
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.findalladdresses(0x2d22770, 0x0, 0x0, 0x2)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:548 +0xb1
github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap.FindAllDevs(0xc42000e1c0, 0x4, 0x4, 0x0, 0x0)
	/go/src/github.com/elastic/beats/vendor/github.com/tsg/gopacket/pcap/pcap.go:534 +0x297
github.com/elastic/beats/packetbeat/sniffer.ListDeviceNames(0xba0101, 0xc420045be8, 0x4d311b, 0xba20e0, 0x6, 0xc420072700)
	/go/src/github.com/elastic/beats/packetbeat/sniffer/sniffer.go:81 +0x52
github.com/elastic/beats/packetbeat/beater.init.1.func1(0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/packetbeat/beater/devices.go:21 +0x49
github.com/elastic/beats/libbeat/beat.FlagsHandlerCallback.HandleFlags(0xc421195cf0, 0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/flags.go:35 +0x30
github.com/elastic/beats/libbeat/beat.handleFlags(0xc42119e300, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/flags.go:26 +0x60
github.com/elastic/beats/libbeat/beat.(*Beat).handleFlags(0xc42119e300, 0x2d, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:252 +0x324
github.com/elastic/beats/libbeat/beat.(*Beat).launch(0xc42119e300, 0xc1d980, 0x0, 0x0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:158 +0x5b
github.com/elastic/beats/libbeat/beat.Run(0xbac06f, 0xa, 0x0, 0x0, 0xc1d980, 0xc420045f90, 0xc4200001a0)
	/go/src/github.com/elastic/beats/libbeat/beat/beat.go:141 +0x65
main.main()
	/go/src/github.com/elastic/beats/packetbeat/main.go:17 +0x57

root@XXXXXX:/etc/packetbeat# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 06:c4:6f:XX:XX:XX
          inet addr:10.10.2.XX  Bcast:10.10.2.191  Mask:255.255.255.192
          inet6 addr: fe80::4c4:6fff:fecb:XXXX/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:469955748 errors:0 dropped:0 overruns:0 frame:0
          TX packets:382726330 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:328336672660 (305.7 GiB)  TX bytes:350922021344 (326.8 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:280217344 errors:0 dropped:0 overruns:0 frame:0
          TX packets:280217344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:338568465017 (315.3 GiB)  TX bytes:338568465017 (315.3 GiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.21.1.1  P-t-P:172.21.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:33592728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53547887 errors:0 dropped:29756 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:11222536480 (10.4 GiB)  TX bytes:54688548072 (50.9 GiB)

root@ XXXXXX :/etc/packetbeat# packetbeat.sh --version
packetbeat version 5.4.0 (amd64), libbeat 5.4.0
root@ XXXXXX:/etc/packetbeat# uname -a
Linux XXXXXX 3.16.0-4-amd64 #1 SMP Debian XXXXXXXX  x86_64 GNU/Linux

exekias · May 31, 2017, 11:07am

Ok, I understand it's part of the same problem (most likely), could you please add these details too?

Giacomo_Milani · May 31, 2017, 11:25am

Done: https://github.com/elastic/beats/issues/4426

exekias · May 31, 2017, 11:28am

thank you for reporting it!

system · June 28, 2017, 11:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Packetbeat Exiting: Sniffer main loop failed: Unsupported link type: UnknownLinkType(12) Beats packetbeat	3	1407	December 6, 2018
Using packetbeat with macos/ios remote virutal interface Beats packetbeat	6	594	August 19, 2019
Wireless LAN: Unsupported link type Beats packetbeat	4	1021	July 6, 2017
PCAP data with Packetbeat Beats packetbeat	1	618	September 27, 2021
Support for TCP/UDP Unknown Packets Beats packetbeat	3	2233	July 5, 2017

Packetbeat 5.4.0 can't sniff tun device - raw ip datalink

Related topics