Debugging GlusterFS with Wireshark



Similar documents
TCP Packet Tracing Part 1

Wireshark Deep packet inspection with Wireshark

1. LAB SNIFFING LAB ID: 10

Lab VI Capturing and monitoring the network traffic

Packet Sniffers. * Windows and Linux - Wireshark

Pen Test Tips 2. Shell vs. Terminal

COMP416 Lab (1) Wireshark I. 23 September 2013

Wireshark. Fakrul (Pappu) Alam

Lab Conducting a Network Capture with Wireshark

SSL Tunnels. Introduction

Network Traffic Analysis

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Websense Web Security Gateway: What to do when a Web site does not load as expected

LAB THREE STATIC ROUTING

Lab - Using Wireshark to View Network Traffic

Network Diagnostic Tools. Jijesh Kalliyat Sr.Technical Account Manager, Red Hat 15th Nov 2014

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Networks and Security Lab. Network Forensics

Introduction to Passive Network Traffic Monitoring

Introduction to Highly Available NFS Server on scale out storage systems based on GlusterFS

Cisco Configuring Commonly Used IP ACLs

Troubleshooting TCP/IP Networks with Wireshark

Introduction to Operating Systems

NFS Ganesha and Clustered NAS on Distributed Storage System, GlusterFS. Soumya Koduri Meghana Madhusudhan Red Hat

Network Forensics Network Traffic Analysis

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Red Hat Enterprise Linux 5 / CentOS 5

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Overview. Protocol Analysis. Network Protocol Examples. Tools overview. Analysis Methods

Interoperability Tools for CIFS/SMB/SMB2 Paul Long and Simon Sun Microsoft

tcpdump: network traffic capture

Linux MDS Firewall Supplement

Setting Up Scan to SMB on TaskALFA series MFP s.

VisuSniff: A Tool For The Visualization Of Network Traffic

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

F-Secure Messaging Security Gateway. Deployment Guide

Step by Step: vcenter Syslog Collector installation

An Introduction To Gluster. Ryan Matteson

Linux System Administration on Red Hat

Virtualization Management the ovirt way

RSA Event Source Configuration Guide. McAfee Database Security

How To Analyze Bacnet (Bacnet) On A Microsoft Computer (Barcnet) (Bcfnet) And Get A Better Understanding Of The Protocol (Bafnet) From A Microsatellite) (Malware)

Capturing Network Traffic With Wireshark

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Lab Module 3 Network Protocol Analysis with Wireshark

Application-Centric Analysis Helps Maximize the Value of Wireshark

Firewalls. Network Security. Firewalls Defined. Firewalls

Kepware Technologies Using Wireshark for Ethernet Diagnostics

DMZ Network Visibility with Wireshark June 15, 2010

Networks & Security Course. Web of Trust and Network Forensics

Course Title: Penetration Testing: Security Analysis

Lab 1: Network Devices and Technologies - Capturing Network Traffic

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

File Transfer Examples. Running commands on other computers and transferring files between computers

F-Secure Internet Gatekeeper

Using IPM to Measure Network Performance

NetSpective Global Proxy Configuration Guide

Attack Lab: Attacks on TCP/IP Protocols

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

A Research Study on Packet Sniffing Tool TCPDUMP

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

SyncThru TM Web Admin Service Administrator Manual

Assignment 3 Firewalls

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

FINFISHER: FinFly ISP 2.0 Infrastructure Product Training

Lab 1: Introduction to the network lab

BASIC ANALYSIS OF TCP/IP NETWORKS

Solution of Exercise Sheet 5

Network Security. Network Packet Analysis

SuperLumin Nemesis. Administration Guide. February 2011

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Network sniffing packet capture and analysis

Network sniffing packet capture and analysis

Network setup and troubleshooting

Project 2: Firewall Design (Phase I)

Netflow Collection with AlienVault Alienvault 2013

Introduction to Wireshark Network Analysis

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

Firewalls P+S Linux Router & Firewall 2013

Windows Server Firewall Configuration

Electronic Mail

CA arcserve Unified Data Protection Agent for Linux

Safe network analysis

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Configuring Network Address Translation (NAT)

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Linux MPS Firewall Supplement

Packet Sniffing with Wireshark and Tcpdump

Apache, SSL and Digital Signatures Using FreeBSD

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Host Configuration (Linux)

Transcription:

Debugging GlusterFS with Wireshark 25 February 2013 Niels de Vos Sr. Software Maintenance Engineer Support Engineering Group Red Hat Global Support Services

Agenda Brief description of Wireshark How to capture network traffic Explanation of the basic GlusterFS protocols Identifying packets Filtering for certain network packets Commandline tools and scripting

What is Wireshark? One of the most well known network protocol analyzers Can capture network traffic Can display hundreds of protocols Version 1.8 and newer support GlusterFS Comes with several useful commandline tools tshark, editcap, capinfos,... Homepage: www.wireshark.org

Capturing network traffic Capture with Wireshark Convenient, nice graphical interface Analyze on the system used for capturing Got (a recent) Wireshark on your server? Capture with tcpdump Headless, no graphical environment needed Separate production and analysis systems Save in a file for off-line analysis Can capture with rotating filenames

Capturing network traffic: examples Save to a file: -w glusterfs.pcap Capture on all interfaces: -i any Do not chop off packets: -s 0 Filters: Only TCP: tcp Ports 24007 to 240100: portrange 24007-240100 Result: # tcpdump glusterfs.pcap -i any -s 0 \ tcp and portrange 24007-24100

GlusterFS protocols Everything is TCP Based on SUN Remote Procedure Calls RFC 5531 Data is encoded in XDR (RFC 4506) Similarities with portmapper and NFS A number of sub-protocols are used GlusterFS is the most important one (I/O)

Identifying packets Each packet has a source and a destination RPC Calls are made by the client RPC Replies are sent by the server The RPC header contains the number for the sub-protocol (GlusterFS, Gluster CLI,...) Server side ports are mostly unique Only exception is glusterd on port 24007 Each brick (glusterfsd) listens on its own port

Identifying packets: example Minimal packet details needed: Internet Protocol Version 4 Source: 172.31.122.154 Destination: 172.31.122.104 Transmission Control Protocol Source port: 24009 Destination port: 1022 Remote Procedure Call Message Type: Reply (1) [Program: GlusterFS (1298437)] [Program Version: 330] [Procedure: LOOKUP (27)]

Identifying packets: step 1 Step 1: Remote Procedure Call Message Type: Reply (1) [Program: GlusterFS (1298437)] [Program Version: 330] [Procedure: LOOKUP (27)] A reply on a LOOKUP is sent from a brick to a client. The GlusterFS protocol is handled by a brick process (glusterfsd) on the server.

Identifying packets: step 2 Step 2: details of an RPC Reply Internet Protocol Version 4 Source: 172.31.122.154 Destination: 172.31.122.104 Transmission Control Protocol Source port: 24009 Destination port: 1022 The client has address 172.31.122.104 The server has address 172.31.122.154 Has hostname vm122-154 The brick listens on port 24009

Identifying packets: step 3a Step 3a: Get the details from the server # cd /var/lib/glusterd # grep -l 24009 vols/*/bricks/* vols/dht/bricks/vm122-154:-bricks-dht The client contacted the brick serving /bricks/dht on server vm122-154. The brick is part of volume dht.

Identifying packets: step 3b Step 3b: Combine the details with processes # netstat -lpt grep 24009... *:24009... LISTEN 5238/glusterfsd # ps O -p 5238... --brick-name /bricks/dht... # gluster volume info \ grep -e "^Volume N" -e vm122-154.*/bricks/dht The client contacted the brick serving /bricks/dht on server vm122-154. The brick is part of volume dht.

Filtering Useful filter for browsing and searching interesting events: Packets with contents: tcp.len > 0 Filtering on the GlusterFS protocol GlusterFS is used for I/O: glusterfs Combined: tcp.len > 0 && glusterfs

Building filters Quick'n easy with Wireshark Pick a property of a packet in the tree Right click on it and select: Copy > Fieldname Copy > As filter Combine filters with &&, and use (...) tshark -G shows all known fields as well

Filtering on RPC Credentials The RPC Credentials sent with a Call contain: Remote Procedure Call, Type:Call Program: GlusterFS (1298437) Procedure: CREATE (23) Credentials Flavor: AUTH_GLUSTERFS (390039) PID: 2442 UID: 500 GID: 500 Auxiliary GIDs (1) [500] GID: 500 An RPC Reply does not contain the Credentials, but there is a reference to the Call.

Filtering on Process or User PID is the process doing the I/O Filter on: rpc.auth.pid == 2442 UID is the user-id of the process Filter on: rpc.auth.uid == 500 This can be used to identify processes and/or users that cause major I/O: $ echo frame call_in size uid ; \ tshark -r bottle.pcap.gz -T fields \ -e frame.number -e rpc.repframe \ -e rpc.fraglen -e rpc.auth.uid glusterfs

Statistics on Procedure Calls Counting the number of procedures, based on the RPC details: Remote Procedure Call Message Type: Call (0) Program: GlusterFS (1298437) Procedure: LOOKUP (27) No need to count RPC Replies Filter: rpc.msgtyp == 0 The values of the glusterfs.proc field are listed by tshark -G values.

Unified File and Object debugging Wireshark can decrypt SSL when the private key is added: Edit > Preferences > Protocols > SSL Add your key to the RSA keys list. Non-SSL is mostly easier and safer. Capture on the SWIFT-proxy that is used by the UFO application.

Downloads This presentation and example scripts: http://people.redhat.com/ndevos/talks/ inside debugging-glusterfs-with-wireshark.d Wireshark-1.8+ for RHEL-6 based distributions: http://devos.fedorapeople.org/wireshark-gluster/

Thanks! You can reach me As ndevos in #gluster on Freenode ndevos@redhat.com Or on LinkedIn

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information