Remove encapsulation from pcap packets

 

Hello,

Recently I was troubleshooting some flows, and I needed to know what went trough a GRE tunnel. After reading some tutorials, especially including Wireshark (which did not work) I found the perfect tool to help you de-encapsulate your packet : ipdecap ( website - github )

1) Install

In theory, installation is simple. In practice, you will need to tweak a bit :

Packages needed = autoconf, automake, libtool, openssl, libpcap, libpcap-devel

Install procedure =

wget https://loicpefferkorn.net/ipdecap/ipdecap-0.7.tar.gz
tar xvzf ipdecap-0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install

But you might encounter errors such as :

ipdecap.c:28:45: fatal error: pcap/dlt.h: No such file or directory

I could not find the requested file on my server, so I went ahead in the src/ipdecap.c file and deleted the line. Afterwards it worked fine.

2) Use

It is relatively easy to use

• Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap

  $ ipdecap -i gre.cap -o output.cap

• If you have multiple tunnels encapsulated, just repeat the previous step.
• Remove ESP encapsulation, configuration in esp.conf

  $ ipdecap -i esp.cap -o output.cap -c esp.conf

Merci a loicpefferkorn pour ce package !

Update F5 chassis licence

 

,

Updating a licence on a F5 Chassis can be a tricky time. Let's review the necessary steps:

0) PREPARE

0.1) VCMP cluster sync

Via tmsh/cli   [ ACTIVE node only ] 

show cm sync-status

show cm failover-status

run /cm config-sync to-group CLUSTERGROUP

0.2) Check VCMP Host status

 show vcmp guest all-properties | grep "Comment\|deployed\|Prompt"

0.3) Take a licency copy in case

bash

tmsh show sys license

cd /config

cp bigip.license  bigip.license.DATE

ls -la | grep license

0.4) If GTM is used, in case of standalone think to deactivate the nodes that will be licence updated, considering that wideips would point to multiple standalone units.

1) EXECUTION

1.1) On Standy unit

check standby units : show vcmp guest all-properties | grep "Comment\|deployed\|Prompt"

if you need to failover an ACTIVE node : run sys failover standby

F5 procedure: 

To re-activate the license with the Add-On registration using the manual activation method, perform the following procedure:

1. Log in to the Configuration utility. 

2. Navigate to System > License. 

3. Click Re-activate. 

4. Paste the Add-On registration key into the Add-On Key field and click Add. 

5. Click Manual. 

6. Click Next. 

7. Copy the dossier and connect to the F5 Product Licensing page at the following address: 

https://secure.f5.com

8. On the F5 Licensing Tools page, click Activate F5 product registration key for BIG-IP 9.x and later. 

9. Paste the dossier into the Enter your dossier field, and click Next. 

10. Copy the license returned by the F5 Product Licensing page and paste it into the License field in the Configuration utility.

11. Click Next. 

1.2) Failover the nodes within clusters

show cm failover-status

! If ACTIVE, failover

run sys failover standby 

! Check status : STANDBY

show cm failover-status

1.3) The ARP situation

You might want to monitor more precisely what happens to the ARP of all of your VS in your infrastructure where the L3 is managed when the failover is issued. If you still have ARP pointing to the STANDBY node, go into the L3 switch and clear everything :

clear ip arp <ip_address>  vrf <VRF_Name>

You should only be left with SELF-IPs after this step.

With all these steps you should be good to go. Of course your infrastructure will have differences, but that is what they pay you ! 😅