libvirt users - Jan 2016 - Re: unable to dissect libvirt rpc packets using wireshark plugin

Thank you Michal.

With your pcap, I could confirm that, libvirt dissector worked in my 
environment as well.
Yes, it could be that, my pcap do not have libvirt rpc packets correctly 
though I would have
expected. I am checking on it.

Regards,
Gowrishankar

On Thursday 07 January 2016 03:51 PM, Michal Privoznik
wrote:
> On 07.01.2016 08:05, gowrishankar wrote:
>> Hi Michal,
>> Thank you for your suggestion. My apologies that I took sometime to get
>> back
>> on further confirmation. Regrettably, my tshark is still unable to find
>> libvirt payload
>> inside packet capture, though it lists libvirt as a possible filter.
>>
>>       # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>>       /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
>>
>>       As I used wireshark 1.12.6 version, I created 1.12.6 directory
>> under plugins and copied above .so.
>>       /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
>>
>>       # tshark -G protocols | grep -i libvirt
>>       Libvirt    libvirt    libvirt
>>
>>       # tshark -r libvirt.pcap libvirt
>>       #
>>
> Interesting. This indeed may be that your pcap file does not contain any
> libvirt packets. Esp. if you tested it locally - if you haven't
> specified to use TCP stack, UNIX socket is used by default.
>
>> Are there any dependency between libvirt and wireshark dissector
>> mechanism to co-exist and
>> work together (ie. whether the above libvirt-wireshark missing some
>> changes that dissector
>> expecting ??). If you have sample pcap to recheck my wireshark/tshark,
>> could you please
>> share with me ?
> Sure:
>
> https://mprivozn.fedorapeople.org/libvirt.pcap
>
> $ tshark -r libvirt.pcap libvirt | tail -n1
>   89 29.520014062          ::1 -> ::1          Libvirt 114 Prog=REMOTE
> Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK
>
> So I can get 89 libvirt packets from the dump.
>
> Michal
>
>
>

Hi Michal,
By the way, I noticed ipv6 loopback IP addresses in your pcap. As I 
normally try to capture on
nic where migration carried out, I thought of checking with you if your 
wireshark could dissect
libvirt RPC in such pcap too (captured on a nic) ?.

During migration, I do not see any traffic on loopback and I think it is 
expected, but thinking
how you get those captured ?. Any pointers/suggestions ? Appreciating 
your help.

Regards,
Gowrishankar

On Thursday 07 January 2016 04:48 PM, gowrishankar
wrote:
> Thank you Michal.
>
> With your pcap, I could confirm that, libvirt dissector worked in my 
> environment as well.
> Yes, it could be that, my pcap do not have libvirt rpc packets 
> correctly though I would have
> expected. I am checking on it.
>
> Regards,
> Gowrishankar
>
> On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote:
>> On 07.01.2016 08:05, gowrishankar wrote:
>>> Hi Michal,
>>> Thank you for your suggestion. My apologies that I took sometime to
get
>>> back
>>> on further confirmation. Regrettably, my tshark is still unable to
find
>>> libvirt payload
>>> inside packet capture, though it lists libvirt as a possible
filter.
>>>
>>>       # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>>>       /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
>>>
>>>       As I used wireshark 1.12.6 version, I created 1.12.6
directory
>>> under plugins and copied above .so.
>>>       /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
>>>
>>>       # tshark -G protocols | grep -i libvirt
>>>       Libvirt    libvirt    libvirt
>>>
>>>       # tshark -r libvirt.pcap libvirt
>>>       #
>>>
>> Interesting. This indeed may be that your pcap file does not contain
any
>> libvirt packets. Esp. if you tested it locally - if you haven't
>> specified to use TCP stack, UNIX socket is used by default.
>>
>>> Are there any dependency between libvirt and wireshark dissector
>>> mechanism to co-exist and
>>> work together (ie. whether the above libvirt-wireshark missing some
>>> changes that dissector
>>> expecting ??). If you have sample pcap to recheck my
wireshark/tshark,
>>> could you please
>>> share with me ?
>> Sure:
>>
>> https://mprivozn.fedorapeople.org/libvirt.pcap
>>
>> $ tshark -r libvirt.pcap libvirt | tail -n1
>>   89 29.520014062          ::1 -> ::1          Libvirt 114
Prog=REMOTE
>> Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK
>>
>> So I can get 89 libvirt packets from the dump.
>>
>> Michal
>>
>>
>>
>

On 20.01.2016 09:49, gowrishankar wrote:
> Hi Michal,
> By the way, I noticed ipv6 loopback IP addresses in your pcap. As I
> normally try to capture on
> nic where migration carried out, I thought of checking with you if your
> wireshark could dissect
> libvirt RPC in such pcap too (captured on a nic) ?.
> 
> During migration, I do not see any traffic on loopback and I think it is
> expected, but thinking
> how you get those captured ?. Any pointers/suggestions ? Appreciating
> your help.
Sure. Usually, when you are connecting locally ("qemu:///system" or
"qemu:///session") client and server talks on an unix socket. I forced
them to talk via loopback where I had wireshark running by:

1) configuring libvirtd to listen on network socket too (listen_tcp in
libvirtd.conf, passing --listen argument to the daemon cmdline)
2) connecting to qemu+tcp://localhost/system

Michal