Shulou(Shulou.com)05/31 Report--

Editor to share with you how wireshark interprets ceph network communications, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

First, install wireshark

Wireshark has supported ceph protocol parsing since version 2.0.

Download address: https://www.wireshark.org/download/

Second, ceph network grabs packets

Use tcpdump to grab packets on the ceph cluster, e.g.:tcpdump-I ens33-s 0-w 3ceph.pcap host 172.16.134.95 and host 172.16.134.96

Ens33 is the name of the network interface, 3ceph.pcap is the file name of the saved packet capture, and host 172.16.134.95 and host 172.16.134.96 is the packet flowing between these two nodes.

Note: tcpdump packet capture should start from the ceph cluster session, otherwise the packet will not be recognized by wireshark in the middle of the session.

III. Wireshark architecture

1. GUI handles the display block dialog box for all users on the page. The source code is under ui/qt.

2. Core's main "glue" module, which integrates other modules, and the source code is in the root directory.

3. Epan package analysis engine, analyze the package in the form of agreement. The source code is in the epan directory

4. Wiretap is used to read and write captured files. The source code is in the wiretap directory.

5. Interface module for Capture to capture network data. The source code is under capture.

Reference: https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html

IV. Wireshark parsing package process

When Wireshark loads packets from a file, each packet is parsed. Wireshark attempts to detect the packet type and get as much information as possible from the packet. In this run, only the information displayed in the package list pane is needed.

When a user selects a specific packet in the packet list pane, the packet is parsed again. This time, Wireshark tries to get each piece of information and put it in the packet details pane.

Each dissector decodes a portion of its protocol and then passes the decoding to the subsequent dissector to obtain the encapsulation protocol.

Reference: https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html

Fifth, wireshark dissector source code analysis

Epan/dissectors/packet-ceph.c under the root directory of wireshark is the source code for analyzing ceph network protocol.

Line 10514, register the parser function

10516 lines, create ceph_handle, if there is a corresponding package call dissec_ceph_old function parsing.

10518 lines, add dissect_ceph_heur,dissect_ceph_heur to the heuristic parser to determine whether it is a network packet of ceph. Wireshark is divided into ordinary string table, integer table and heuristic parsing table.

The characteristic of a heuristic parser is that once a particular "connected" packet is identified as belonging to a particular protocol, Wireshark should always call the parser directly to parse the protocol.

Line 7091 to determine whether it is a ceph network protocol, where C_BANNER is defined at line 830and C_BANNER_SIZE_MIN is defined at line 833

It can be seen that wireshark judges whether it is a ceph network protocol according to the ceph v flag in the network packet.

Line 7099, if it is judged to be ceph protocol, call ceph_handle processing. The ceph_handle is created in line 10516.

7081 lines, call the dissect_ceph function to parse the network packet

Line 07019, in the protocol field of the network packet list, set the Ceph field

When you click a network packet in a list of network packets, the details of the network packet are listed in a tree in the network packet details below.

Register lower layer protocols with proto_item_add_subtree

C_dissect_xxx parsing subtree.

The above is all the contents of the article "how wireshark interprets ceph Network Communications". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.