UNetLab: Wireshark rpcap to capture traffic on all networks simultaneously

We all know that moment when you’re doing your lab and for learning/troubleshooting purposes you wish you had an option to capture the traffic on all networks in your lab in a convenient way. As of this writing, UNetLab latest release version is 1.0.0-10 and so far UNetLab developers haven’t released an official feature that allows the users to capture traffic on all network interfaces simultaneously. If you need to capture traffic using UNetLab GUI, you have the option to select only one network, which will result in firing up one Wireshark instance. So, if you need to capture traffic on all network simultaneously and pipe directly to Wireshark you’re out of luck and instead, you’ll have to fire up several instances of Wireshark, which isn’t practical because of the number of windows you’ll have to deal with. To remedy this situation, I’m going to show you how you can setup rpcap on UNetLab so you can specify from you client machine what networks you need to capture simultaneously in only one Wireshark window.

In order to accomplish this, in summary, we’ll have to:

  1. Download rpcapd-linux from Github and build its dependencies.
  2. Compile rpcapd-linux
  3. Run rpcapd
  4. Setup rpcapd as a daemon (optional, but recommended step)

Lastly, we’ll need to understand how UNetLab maps bridge networks on Linux interfaces and then fire up Wireshark to capture on all network we’re interested in capturing simultaneously.

Downloading rpcapd-linux

First, you have to SSH into your UNetLab virtual machine and apply these commands:

1
2
3
4
5
6
7
8
9
10
# I'm going to install rpcapd on /root/apps
cd
mkdir apps
cd apps/
wget https://github.com/frgtn/rpcapd-linux/archive/master.zip
unzip master.zip
rm master.zip
# apt-get build and libpcap to compile rpcapd
apt-get build-dep libpcap

Compiling rpcapd-linux

If you’ve come thus far successfully, you’re ready to compile. Now just cd to this directory and apply these commands:

1
2
3
4
cd rpcapd-linux-master/libpcap/
./configure && make
cd ../
make

If everything went well, your files should look like this:

1
2
3
4
root@unl:~/apps/rpcapd-linux-master# ls
daemon.c fileconf.c libpcap pcap-remote.o rpcapd rpcapd.o utils.h
daemon.h fileconf.h Makefile README.md rpcapd.c sockutils.o utils.o
daemon.o fileconf.o pcap-new.o resource.h rpcapd.h utils.c

Running rpcapd

In order to run rpcapd:

1
root@unl:~/apps/rpcapd-linux-master# ./rpcapd -4 -n -p 2002

In short, what we just did was to enable rpcapd to listen on port 2002 with IPv4 at Layer 3. Also, null authentication was used for simplicity’s sake because in my lab environment security isn’t not a concern. To verify that rpcapd is running, you can check if the socket is listening on this port:

1
2
3
4
# Verifying the TCP socket is listening on port 2002
root@unl:~# netstat -an | grep 2002
tcp 0 0 0.0.0.0:2002 0.0.0.0:* LISTEN
root@unl:~#

You can find out more about rpcapd options by consulting the help menu:

1
root@unl01:~/apps/rpcapd-linux-master# ./rpcapd -h

Setting up rpcapd as a daemon

For convenience’s sake, I’ll setup rpcapd as a daemon so I’ll always have this service enable whenever UNetLab virtual machine starts. This step is optional, but I highly recommend you to add this line on your /etc/rc.local (before the exit 0 line):

1
./root/apps/rpcapd-linux-master/rpcapd -4 -d -n -p 2002

From now on, you won’t have to worry about initializing rpcap manually anymore:

1
2
3
4
5
6
7
8
root@unl01:~# netstat -an | grep 2002
warning, got bogus unix line.
tcp 0 0 0.0.0.0:2002 0.0.0.0:* LISTEN
root@unl:~# ps -aux | grep rpcap
root 3636 0.0 0.0 1852 72 ? S 21:04 0:00 ./root/apps/rpcapd-linux-master/rpcapd -4 -d -n -p 2002
root 3637 0.0 0.0 1852 72 ? S 21:04 0:00 ./root/apps/rpcapd-linux-master/rpcapd -4 -d -n -p 2002
root 4010 0.0 0.0 10468 2072 pts/0 S+ 21:05 0:00 grep --color=auto rpcap
root@unl:~#

UNetLab bridge interfaces mapping

As far as I understand, whenever you create a bridge network on your lab on UNetLab, this network segment will be mapped on Linux as an interface named vnet0_<ID>, where ID is the network bridge identifier that is automatically assigned when you’re building your topology on UNetLab GUI. For instance, let’s analyze this topology in Figure 1.

phy_topology

If you click on the “Networks” button on UNetLab GUI, you’ll see that all of the networks segments in Figure 1 has an ID:

network_id

To help you visualize this, I put these IDs as labels in Figure 1. For example, the network segment named PE1_TO_PE2 has ID = 1. Note that although the IDs are expected to be numbered sequentially, if you delete network segments you’ll have a gap of IDs. For example, because I deleted some segments when I was doing this lab the other day, both IDs 6 and 4 aren’t being used anymore. Anyway though, since my entire topology is made of 8 network segments I have 8 IDs as expected: 1, 2, 3, 5, 7, 8, 9, 10. With that being said, if you need to capture traffic on all segments or a subset of these segments, these are the IDs that will have to select on Wireshark.

Capturing traffic on Wireshark with rpcap

Now that the UNetLab virtual machine is running rpcap and we understand how the underlying Linux network interfaces are mapped to our lab network interfaces, we can start Wireshark on the client PC. The first step is to fire up Wireshark, click on Capture Options as depicted in Figure 3. Next, you’ll have to click on Manage Interfaces, which can be found on the input tab.

As soon as you open up the Manage Interfaces, you’ll have the option to specify your rpcap server, in the remote interfaces tab by pressing the button named Add remote host, which is the IP address of the UNetLab virtual machine. Remember that the authentication was set as null and the port rpcapd is listening is 2002.

adding_rpcap_server

If you have L3 reachability to UNetLab virtual machine and the rpcap service is enabled you should be able to see all the Linux network interfaces as illustrated in Figure 4.

remote_interfaces

Simply add all of these interfaces for now, it’s easier to filter out unwanted interfaces later on. Next, before starting the capture, we’ll be able to select just the vnet0_IDs interfaces that we’re interested in. It’s easier to find all the vnet0_* networks if you sort out the interface by their names, just click on the
Interface column to sort them. Finally, hit the start button to start the capture on the vnet0 interfaces you’re interested and enjoy! As you can see in Figure 5, I selected all the 8 IDs as we saw in Figure 1 and 2 to capture traffic on all interfaces of this topology.

sorted_remote_interfaces

Good! You’re ready to capture whatever traffic you want in these set of interfaces and enjoy your lab on UNetLab. Plus, here one of the coolest feature that I find about rpcap, it always tags the interface name where the packet was captured. For instance, in Figure 6, the ARP packet was captured on “Interface 5”, which actually is rpcap://unl.vm:2002/vnet0_2, so you know that this packet was captured on vnet0_2. This information is really handy when you need to narrow down your filters on wireshark because you’re dealing with an all interfaces capture. Of course, you could use other filters like VLAN IDs, MAC addresses and so on, but this option is quite helpful and sometimes more practical to use.

traffic_being_captured

That’s it! Before we finish, I’d like to give a massive thank you to Andrea Dainese and his team for developing this amazing networking tool. I really wish in the upcoming releases we had this feature already builtin on UNetLab GUI, so we could easily specify if we’d like to capture traffic on more than one interface simultaneously in just one Wireshark window. Meanwhile, I’ll continue to use rpcap. I hope this information is valuable to you guys!