4

I am working with OpenFlow packets and am analyzing the network via tcpdump.

Currently, I use the WireShark GUI to parse the generated capture file and it does serve my need.

However, I was wondering whether WireShark has an API so the same can be done via a script rather than the GUI (I'm essentially aiming to extract certain OpenFlow parameters and automate the process of checking my system)

spiritusozeans
  • 225
  • 2
  • 10

2 Answers2

4

The command line alternative to WireShark is tshark (similar in function to tcpdump).

This blog had enough to get me started.

A sample tshark capture command goes as follows (say you want to monitor the interface eth0):

sudo tshark -i eth0

We can add capture filters along with the command as well:

sudo tshark -i eth0 "port 6633"

This command will capture all traffic to or from port 6633 (the default port of OpenFlow controllers)

Simply capturing the traffic is not enough. To analyze the capture via a program, we need to first convert the capture into an easily understandable format. Enter XML.

sudo tshark -i eth0 -T pdml > dump.xml  

This outputs the capture file as an xml file with all the packets along with their various attributes as tags.

This can be subsequently parsed using any standard xml parser.

A couple extra things I tweaked: I scrapped the "port 6633". And added a -n option (addresses are not resolved). The additional packets which are captured as a result may always be filtered out by the xml parser. Since my application gave a slight importance to the timestamps of various packets, I did not want to cause additional delays due to filtering/resolving. Note that I may be terribly wrong in my reasoning here (it was just a hunch). Each packet has a timestamp added to it by the network adapter when the device receives the same. It is therefore more than likely that using such tricks wouldn't affect the time stamp at all.

My final command was therefore:

sudo tshark -n -i eth0 -T pdml > dump.xml

ADDITIONAL NOTE: If you are habituated to use WireShark to debug OpenFlow packets, you probably use the display filter: "of". This however is not a valid capture filter which is required by tshark (capture filters are similar to those used in tcpdump)

PS: Drop me a line if you need the xml parser (I used python)

spiritusozeans
  • 225
  • 2
  • 10
2

Try reviewing the output of:

sudo tshark -O openflow_v4 -i eth0 port <openflow port>

You can review the protocols available with this command:

~] tshark -G protocols | grep openflow
OpenFlow        openflow        openflow
OpenFlow 1.0    openflow_v1     openflow_v1
OpenFlow 1.3    openflow_v4     openflow_v4
OpenFlow 1.4    openflow_v5     openflow_v5
GregL
  • 9,030
  • 2
  • 24
  • 35
Michael D
  • 21
  • 1