This example shows how to use a BPF program to parse packets across an
encapsulation boundary. It uses this ability to record inner+outer ip addresses
as well as vxlan id into a hash table. The entries in that table store bytes
and packets received/transmitted. One novel part of this program is its use of
bpf_tail_call
to parse two different IP headers (inner/outer) using the same
state machine logic.
Also part of this example is a simulation of a multi-host environment with an
overlay network (using vxlan in this case), and each host contains multiple
clients in different segments of the overlay network. The script traffic.sh
can be used to simulate a subset of clients on host0 talking to various other
clients+hosts at different traffic rates.
Once the simulation is running, the statistics kept by the BPF program can be displayed to give a visual clue as to the nature of the traffic flowing over the physical interface, post-encapsulation.
To get the example running, change into the examples/tunnel_monitor directory.
If this is the first time, run setup.sh
to pull in the UI component and
dependencies. You will need nodejs+npm installed on the system to run this, but
the setup script will only install packages in the local directory.
[user@localhost tunnel_monitor]$ ./setup.sh
Cloning into 'chord-transitions'...
remote: Counting objects: 294, done.
...
jquery#2.1.4 bower_components/jquery
modernizr#2.8.3 bower_components/modernizr
fastclick#1.0.6 bower_components/fastclick
[user@localhost tunnel_monitor]$
Then, start the simulation by running main.py:
[root@bcc-dev tunnel_monitor]# python main.py
Launching host 1 of 9
Launching host 2 of 9
...
Starting tunnel 8 of 9
Starting tunnel 9 of 9
HTTPServer listening on 0.0.0.0:8080
Press enter to quit:
The prompt will remain until you choose to exit. In the background, the script has started a python SimpleHTTPServer on port 8080, which you may now try to connect to from your browser. There will likely be a blank canvas until traffic is sent through the tunnels.
To simulate traffic, use the traffic.sh script to generate a distribution of pings between various clients and hosts. Check back on the chord diagram to see a visualization. Try clicking on a host IP address to see a breakdown of the inner IP addresses sent to/from that host.
As an exercise, try modifying the traffic.sh script to cause one of the clients to send much more traffic than the others, and use the chord diagram to identify the culprit.