We all know that moment when you’re doing your lab and for learning/troubleshooting purposes you wish you had an option to capture the traffic on all networks in your lab in a convenient way. As of this writing, UNetLab latest release version is 1.0.0-10 and so far UNetLab developers haven’t released an official feature that allows the users to capture traffic on all network interfaces simultaneously. If you need to capture traffic using UNetLab GUI, you have the option to select only one network, which will result in firing up one Wireshark instance. So, if you need to capture traffic on all network simultaneously and pipe directly to Wireshark you’re out of luck and instead, you’ll have to fire up several instances of Wireshark, which isn’t practical because of the number of windows you’ll have to deal with. To remedy this situation, I’m going to show you how you can setup rpcap on UNetLab so you can specify from you client machine what networks you need to capture simultaneously in only one Wireshark window.
In order to accomplish this, in summary, we’ll have to:
rpcapd-linuxfrom Github and build its dependencies.
rpcapdas a daemon (optional, but recommended step)
Lastly, we’ll need to understand how UNetLab maps bridge networks on Linux interfaces and then fire up Wireshark to capture on all network we’re interested in capturing simultaneously.
First, you have to SSH into your UNetLab virtual machine and apply these commands:
If you’ve come thus far successfully, you’re ready to compile. Now just cd to this directory and apply these commands:
If everything went well, your files should look like this:
In order to run
In short, what we just did was to enable
rpcapd to listen on port 2002 with IPv4 at Layer 3. Also, null authentication was used for simplicity’s sake because in my lab environment security isn’t not a concern. To verify that
rpcapd is running, you can check if the socket is listening on this port:
You can find out more about
rpcapd options by consulting the help menu:
For convenience’s sake, I’ll setup
rpcapd as a daemon so I’ll always have this service enable whenever UNetLab virtual machine starts. This step is optional, but I highly recommend you to add this line on your
/etc/rc.local (before the exit 0 line):
From now on, you won’t have to worry about initializing
rpcap manually anymore:
As far as I understand, whenever you create a bridge network on your lab on UNetLab, this network segment will be mapped on Linux as an interface named
vnet0_<ID>, where ID is the network bridge identifier that is automatically assigned when you’re building your topology on UNetLab GUI. For instance, let’s analyze this topology in Figure 1.
If you click on the “Networks” button on UNetLab GUI, you’ll see that all of the networks segments in Figure 1 has an ID:
To help you visualize this, I put these IDs as labels in Figure 1. For example, the network segment named
ID = 1. Note that although the IDs are expected to be numbered sequentially, if you delete network segments you’ll have a gap of IDs. For example, because I deleted some segments when I was doing this lab the other day, both IDs 6 and 4 aren’t being used anymore. Anyway though, since my entire topology is made of 8 network segments I have 8 IDs as expected: 1, 2, 3, 5, 7, 8, 9, 10. With that being said, if you need to capture traffic on all segments or a subset of these segments, these are the IDs that will have to select on Wireshark.
Now that the UNetLab virtual machine is running
rpcap and we understand how the underlying Linux network interfaces are mapped to our lab network interfaces, we can start Wireshark on the client PC. The first step is to fire up Wireshark, click on
Capture Options as depicted in Figure 3. Next, you’ll have to click on
Manage Interfaces, which can be found on the input tab.
As soon as you open up the
Manage Interfaces, you’ll have the option to specify your
rpcap server, in the remote interfaces tab by pressing the button named
Add remote host, which is the IP address of the UNetLab virtual machine. Remember that the authentication was set as null and the port
rpcapd is listening is 2002.
If you have L3 reachability to UNetLab virtual machine and the
rpcap service is enabled you should be able to see all the Linux network interfaces as illustrated in Figure 4.
Simply add all of these interfaces for now, it’s easier to filter out unwanted interfaces later on. Next, before starting the capture, we’ll be able to select just the
vnet0_IDs interfaces that we’re interested in. It’s easier to find all the
vnet0_* networks if you sort out the interface by their names, just click on the
Interface column to sort them. Finally, hit the start button to start the capture on the
vnet0 interfaces you’re interested and enjoy! As you can see in Figure 5, I selected all the 8 IDs as we saw in Figure 1 and 2 to capture traffic on all interfaces of this topology.
Good! You’re ready to capture whatever traffic you want in these set of interfaces and enjoy your lab on UNetLab. Plus, here one of the coolest feature that I find about rpcap, it always tags the interface name where the packet was captured. For instance, in Figure 6, the ARP packet was captured on “Interface 5”, which actually is rpcap://unl.vm:2002/vnet0_2, so you know that this packet was captured on vnet0_2. This information is really handy when you need to narrow down your filters on wireshark because you’re dealing with an all interfaces capture. Of course, you could use other filters like VLAN IDs, MAC addresses and so on, but this option is quite helpful and sometimes more practical to use.
That’s it! Before we finish, I’d like to give a massive thank you to Andrea Dainese and his team for developing this amazing networking tool. I really wish in the upcoming releases we had this feature already builtin on UNetLab GUI, so we could easily specify if we’d like to capture traffic on more than one interface simultaneously in just one Wireshark window. Meanwhile, I’ll continue to use
rpcap. I hope this information is valuable to you guys!