TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Configuring Traffic Analyzers and Packet Capture for Mirroring

Contrail provides traffic mirroring so you can mirror specified traffic to a traffic analyzer where you can perform deep traffic inspection. Traffic mirroring enables you to designate certain traffic flows to be mirrored to a traffic analyzer, where you can view traffic flows in great detail.

Use Monitor > Debug > Packet Capture to configure packets to be captured and “mirrored” to a virtual machine configured as a traffic analyzer. The packet activity can then be inspected for monitoring and troubleshooting purposes. This section demonstrates how to set up packet capture to mirror traffic packets to an analyzer.

Traffic Analyzer Images

Before using the Contrail interface to configure traffic analyzers and packet capture for mirroring, make sure that the following analyzer images are available in the VM image list for your system. The traffic analyzer images are enhanced for viewing details of captured packets in Wireshark. When creating a policy for the traffic analyzer, the traffic analyzer instance should always have the Mirror to field selected in the policy, do not select the Apply Service field for a traffic analyzer.

analyzer-vm-console-qcow2—Standard traffic analyzer; should be named analyzer in the image list. This type of traffic analyzer is always configured with a single interface, and the interface should be a Left interface.
analyzer-vm-console-two-if qcow2—This type of traffic analyzer has two interfaces, Left and Management. This traffic analyzer can have any name except the name analyzer, which is reserved for the single interface analyzer.

Configuring Traffic Analyzers

In Contrail Controller, you use a two-part configuration to mirror captured packet traffic to a traffic analyzer, where the traffic details can be inspected. The configuration has the following steps:

Configure analyzer(s) on the host.
Set up rules for packet capture.

Additionally, there are two ways to configure the packet capture for the analyzers from within the Contrail interface:

Configure from Monitor > Debug > Packet Capture
Configure from Configure > Networking > Services

Setting Up Traffic Mirroring Using Monitor > Debug > Packet Capture

The following are the steps needed to set up packet capture in order to “mirror” the traffic to an analyzer VM for the purpose of reviewing various aspects of packet traffic moving through the system.

Select Monitor > Debug > Packet Capture. The Packet Capture screen appears; see Figure 1.
Figure 1: Packet Capture
Click Create to add an analyzer; see Figure 2.
Figure 2: Create Analyzer
In the Analyzer Name field, enter a name for the analyzer and in the Virtual Network field, select Automatic or select a specific virtual network from the drop-down list of available networks; click Save when finished.
To create rules for the analyzer, in the lower portion of the Create Analyzer screen, click the + button to add a rule.
The Analyzer Rules fields appear; see Figure 3.
Figure 3: Analyzer Rules

Select the rules to apply to determine which packets should be “mirrored”—sent to the analyzer for monitoring.

See Table 1 for guidelines for completing the rule fields.

Table 1: Analyzer Rule Fields

Field	Description
IP Protocol	Select from a list to define from which protocol packets are to be captured: ANY TCP UDP ICMP
Source Network	Select from a list the source network from which packets are to be captured: any local domain:network 1 domain:network 2 domain:network .....
Source Ports	If you want to capture only those packets that originate from a specific port number, enter the port number.
Direction	Select the direction of flow for the packets to be captured: Bidirectional Unidirectional
Destination Network	Select from a list the destination network for the packets to be captured: any local domain:network 1 domain:network 2 domain:network .....
Destination Ports	If you want to capture only those packets that are destined to a specific port number, enter the port number.
Cancel, Save	When finished, click Save to commit your selections, or click Cancel to clear the entries and start over.

To associate virtual networks with the analyzer, click the Associate Networks field in the center portion of the screen. Select from a drop-down list of available networks the networks to associate with this analyzer; see Figure 4.
Figure 4: Create Analyzer Associate Networks
Note: If there is already a network policy attached to the virtual network selected, any conflicting rules configured for the analyzer will not take effect.
View the analyzer activity from Monitor > Debug > Packet Capture. For the selected analyzer, click in the Action column and select View Analyzer; see Figure 5.
Figure 5: Launch Analyzer VM
The Wireshark Packet Capture Display appears; see Figure 6.
Figure 6: Packet Capture Display

Setting Up Traffic Mirroring Using Configure > Networking > Services

You can set up packet capture for mirroring to an analyzer within a service chain utilizing more than one interface by starting with a service template. The following procedure provides the steps needed.

Access Configure > Networking > Services > Service Templates.
The Service Templates screen appears; see Figure 7.
Figure 7: Service Templates
To create a new service template, click the Create button.
The Add Service Template window appears; see Figure 8.
Figure 8: Add Service Template

Complete the fields by using the guidelines in Table 2.

Table 2: Add Service Template Fields

Field	Description
Name	Enter a descriptive text name for this service template.
Service Mode	Select Transparent from the drop-down list to indicate that this service template is for purposes of mirroring.
Service	Select Analyzer from the drop-down list to indicate that this service template is for a traffic analyzer.
Image Name	Select from a drop-down list of available images the analyzer image to use for this analyzer service template. You should select the analyzer named analyzer two interfaces if you used the recommended naming for the image analyzer-vm-console-two-if qcow2 in the image list.
Interface Types	From the drop-down list, click the check boxes to indicate which two interface types are used for this analyzer service template: Left Right Management
Save	When finished, click OK to commit the changes
Cancel	Click Cancel to clear the fields and start over.

Create a service instance by clicking the Service Instances link and clicking the Create button.
The Create Service Instances window appears; see Figure 9.
Figure 9: Create Service Instances

Complete the fields by using the guidelines in Table 3.

Table 3: Create Service Instances Fields

Field	Description
Services Template	Select from a drop-down list of available service templates the template to use for this service instance (e.g. AnalyzerTemplate).
Instance Name	Enter a text name for this service instance.
Left Virtual Network	Select from a drop-down list of available networks the network for the left interface, or select Automatic.
Right Virtual Network	Select from a drop-down list of available networks the network for the right interface, or select Automatic.
Management Virtual Network	Select from a drop-down list of available networks the network for the management interface, or select Automatic.
Save	Click Save to commit your changes.
Cancel	Click Cancel to clear your changes and start over.

To create a network policy rule for this service instance, click Configure > Networking > Policies.
The Policies window appears.
Click Create to get to the Create Policy window; see Figure 10.
Figure 10: Create Policy
Click the + button in the lower portion of the screen to open the Policy Rules fields; see Figure 11.
Figure 11: Policy Rules

To add policy rules, complete the fields, using the guidelines in Table 4.

Note: When there is a network policy attached to the virtual network, any conflicting rules configured for the analyzer will not take effect.

Table 4: Add Rule Fields

Field	Description
Action	Enter a text name for this service instance.
Protocol	Select from a drop-down list of available networks the network for the left interface, or select Automatic.
Source Network	Select from a drop-down list of available networks the network for the right interface, or select Automatic.
Source Ports	Select from a drop-down list of available networks the network for the management interface, or select Automatic.
Direction	Select the direction of flow for the packets to be captured: Bidirectional Unidirectional
Destination Network	Select from a list the destination network for the packets to be captured: any local domain:network 1 domain:network 2 domain:network .....
Destination Ports	Select from a list the destination network for the packets to be captured: any local domain:network 1 domain:network 2 domain:network .....
Apply Service	Check this box to open a field where you can select a service to apply.
Mirror to	Check this box to open a field where you can select a service to accept the mirrored packets.
Save	Click Save to commit your changes.
Cancel	Click Cancel to clear your changes and start over.

Click the Mirror to box and select the available analyzer service instance, then click Save.

To verify packet capture, at Configure > Services > Service Instances, select the analyzer service instance and click View Console.

The packet capture displays; see Figure 12. The analyzer service VM launches the Contrail enhanced Wireshark as it starts and captures the mirrored packets destined to this service.

Figure 12: Service Instances View Console

Note: When using the Firefox web browser, you may have difficulty viewing the mixed content presented by the View Console enhanced Wireshark option. To fix this, please enable mixed content in Firefox. Alternatively, you can select Click here to show only console to view the console information in a separate window.