gowrishankar
2016-Jan-07 11:18 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Thank you Michal. With your pcap, I could confirm that, libvirt dissector worked in my environment as well. Yes, it could be that, my pcap do not have libvirt rpc packets correctly though I would have expected. I am checking on it. Regards, Gowrishankar On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote:> On 07.01.2016 08:05, gowrishankar wrote: >> Hi Michal, >> Thank you for your suggestion. My apologies that I took sometime to get >> back >> on further confirmation. Regrettably, my tshark is still unable to find >> libvirt payload >> inside packet capture, though it lists libvirt as a possible filter. >> >> # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 >> /usr/lib64/wireshark/plugins/1.12.5/libvirt.so >> >> As I used wireshark 1.12.6 version, I created 1.12.6 directory >> under plugins and copied above .so. >> /usr/lib64/wireshark/plugins/1.12.6/libvirt.so >> >> # tshark -G protocols | grep -i libvirt >> Libvirt libvirt libvirt >> >> # tshark -r libvirt.pcap libvirt >> # >> > Interesting. This indeed may be that your pcap file does not contain any > libvirt packets. Esp. if you tested it locally - if you haven't > specified to use TCP stack, UNIX socket is used by default. > >> Are there any dependency between libvirt and wireshark dissector >> mechanism to co-exist and >> work together (ie. whether the above libvirt-wireshark missing some >> changes that dissector >> expecting ??). If you have sample pcap to recheck my wireshark/tshark, >> could you please >> share with me ? > Sure: > > https://mprivozn.fedorapeople.org/libvirt.pcap > > $ tshark -r libvirt.pcap libvirt | tail -n1 > 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE > Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK > > So I can get 89 libvirt packets from the dump. > > Michal > > >
gowrishankar
2016-Jan-20 08:49 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Hi Michal, By the way, I noticed ipv6 loopback IP addresses in your pcap. As I normally try to capture on nic where migration carried out, I thought of checking with you if your wireshark could dissect libvirt RPC in such pcap too (captured on a nic) ?. During migration, I do not see any traffic on loopback and I think it is expected, but thinking how you get those captured ?. Any pointers/suggestions ? Appreciating your help. Regards, Gowrishankar On Thursday 07 January 2016 04:48 PM, gowrishankar wrote:> Thank you Michal. > > With your pcap, I could confirm that, libvirt dissector worked in my > environment as well. > Yes, it could be that, my pcap do not have libvirt rpc packets > correctly though I would have > expected. I am checking on it. > > Regards, > Gowrishankar > > On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote: >> On 07.01.2016 08:05, gowrishankar wrote: >>> Hi Michal, >>> Thank you for your suggestion. My apologies that I took sometime to get >>> back >>> on further confirmation. Regrettably, my tshark is still unable to find >>> libvirt payload >>> inside packet capture, though it lists libvirt as a possible filter. >>> >>> # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 >>> /usr/lib64/wireshark/plugins/1.12.5/libvirt.so >>> >>> As I used wireshark 1.12.6 version, I created 1.12.6 directory >>> under plugins and copied above .so. >>> /usr/lib64/wireshark/plugins/1.12.6/libvirt.so >>> >>> # tshark -G protocols | grep -i libvirt >>> Libvirt libvirt libvirt >>> >>> # tshark -r libvirt.pcap libvirt >>> # >>> >> Interesting. This indeed may be that your pcap file does not contain any >> libvirt packets. Esp. if you tested it locally - if you haven't >> specified to use TCP stack, UNIX socket is used by default. >> >>> Are there any dependency between libvirt and wireshark dissector >>> mechanism to co-exist and >>> work together (ie. whether the above libvirt-wireshark missing some >>> changes that dissector >>> expecting ??). If you have sample pcap to recheck my wireshark/tshark, >>> could you please >>> share with me ? >> Sure: >> >> https://mprivozn.fedorapeople.org/libvirt.pcap >> >> $ tshark -r libvirt.pcap libvirt | tail -n1 >> 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE >> Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK >> >> So I can get 89 libvirt packets from the dump. >> >> Michal >> >> >> >
Michal Privoznik
2016-Jan-20 11:10 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
On 20.01.2016 09:49, gowrishankar wrote:> Hi Michal, > By the way, I noticed ipv6 loopback IP addresses in your pcap. As I > normally try to capture on > nic where migration carried out, I thought of checking with you if your > wireshark could dissect > libvirt RPC in such pcap too (captured on a nic) ?. > > During migration, I do not see any traffic on loopback and I think it is > expected, but thinking > how you get those captured ?. Any pointers/suggestions ? Appreciating > your help.Sure. Usually, when you are connecting locally ("qemu:///system" or "qemu:///session") client and server talks on an unix socket. I forced them to talk via loopback where I had wireshark running by: 1) configuring libvirtd to listen on network socket too (listen_tcp in libvirtd.conf, passing --listen argument to the daemon cmdline) 2) connecting to qemu+tcp://localhost/system Michal
Possibly Parallel Threads
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin