Post on 30-Dec-2015
flotapr2
Analyze traffic from anywhere in the openflow network
www.wookieware.com
Success from failureIt started with an SDN application called flotapr. It’s premise was that it could find all the conversations a target host was having and let you pick which conversation you wanted to tap into. The limiting factor was the analyzer “always” had to be on the same dpid as the source IP. I have no idea how this application ever gave the appearance of working but somehow it looked like it did.
Flotapr2 was born out of flotapr’s failure. Now with flotapr2 you can pick any source, destination and analyzer port in the openflow network and all the flows will automatically be setup. There are many different types. Source flow, Destination flow, Analyzer flow and the most important flow…the convergent. This is where the path from the source to the analyzer and destination to the analyzer converge. At this point a bifurcated flow is created and the flows pushed to the dpids along the path to the analyzer are configured as one way only.
Typical network capture
Target Host
All traffic from and to host
Mirror traffic to remote port
Analyzer
All traffic in and out of a specific port can be mirrored to another port.
OpenFlow network capture
Source Host
Traffic from src to dst & traffic from dst to src
Mirror traffic to analyzer
Destination Host
Traffic from src to dst & traffic from dst to src
Analyzer
One way traffic
Flows {“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},
{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:1}]}}
{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.10”},{“ipv4_src”:”10.132.0.20”}],”actions”:[{“output”:4}]}}
{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:1},{“output”:6}]}}
{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:4},{“output”:6}]}}
flotapr2 verifies openflow 1.0. or 1.3 capabilities. In the event of 1.3 a table variable is supplied at the login screen and is passed to the flows along with a modified instructions set.
Standard flow
Bifurcated flow –Forks traffic to analyzer port or direction (Port 6)
Main Screen
Enter credentials, The Source IP address and the Analyzer IP address
Select Destination IP address
Flow Table
Source and Analyzer on same dpid
There are only four possible scenarios for deployment
Source IP
Destination IP
Analyzer IP
Analyzer on Core Switch (Common Path)
Analyzer anywhere in the openflow network
Destination and Analyzer on same dpid
All in One
Source IP
Destination IP
Analyzer IP
Hard setting the flows
S
D
A
Convergent dpid
Getting flotapr2
flotapr2 is available in a docker image.
From a docker server: sudo docker pull xod442/flotapr2_v2
Once downloaded from dockerhub.com, start it up with :
sudo docker run -d -p 80:80 xod442/flotapr2_v2 /usr/sbin/apache2ctl -D FOREGROUND
Point a web browser at the ip address or FQDN of the docker server.
That’s it!!!