Index not working when traffic encapsulated in 802.1q trunk

Description

Hi All,

When I query the time machine index, I am not receiving any results.

I just restarted time machine, and checked one of the recent class files to see there is traffic for a particular IP address.

tcpdump -e -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198"

It shows some traffic, example:
128.138.44.198.54014 > 74.125.225.209.443: Flags [.], cksum 0x8d2c (correct), seq 1283940799:1283940800, ack 615539104, win 16311, length 1
19:11:00.571731632 10:8c:cf:57:46:00 > 00:1d:09:6a:d9:a9, ethertype 802.1Q (0x8100), length 70: vlan 987, p 0, ethertype IPv4, (tos 0x0, ttl 56, id 17482, offset 0, flags [none], proto TCP (6), length 52)

When I telnet localhost 42042 and run the following command, I don't receive any results.

query to_file "128.138.44.198.pcap" index ip "128.138.44.198"

In the above tcpdump, you can see my traffic is 802.1Q trunked. I have to use the "vlan" BPF to extract it with tcpdump, and am wondering if the trunking is causing problems with indexing?

I tested the same version of time machine on non-trunked traffic, and the index works fine.

Let me know if you need any other configuration info.

Tyler

Environment

Ubuntu 10.04 , pf_ring

Activity

Show:
Marek Balint
March 20, 2014, 4:26 AM

Hi Tyler,
honestly I do not see any direct connection between these two problems, but I do not know time-machine very well - just had the same problem as you did, found it, fixed it and the fix works for me. I have created pull request addressing your issue: https://github.com/bro/time-machine/pull/1

.mq.

Aashish Sharma
March 29, 2014, 6:35 AM

I have an intern coming in this summer dedicated to work on time-machine. I can have him look at this issue too.

tyler.schoenke
March 29, 2014, 10:18 AM

Cool, thanks Aashish.

Tyler

"aashish (JIRA)" <jira@bro-tracker.atlassian.net> wrote:

https://bro-tracker.atlassian.net/browse/TM-16?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907#comment-15907

aashish commented on TM-16:
---------------------------

I have an intern coming in this summer dedicated to work on time-machine. I can have him look at this issue too.


This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)

Marek Balint
April 10, 2014, 8:16 PM

Hi Tyler,
I have found one more problem with VLAN headers ( solution is here: https://github.com/bro/time-machine/pull/3 ). It might or might not solve your problem, but it might be worth to give it a try...

.mq.

Aashish Sharma
December 17, 2016, 1:08 PM

This issue was resolved in topic/aashish/ipv6 in git://git.bro.org/time-machine - FYI

Assignee

Seth Hall

Reporter

tyler.schoenke

Labels

Affects versions

Priority

Normal