【EVE-NG流量洞察】802.1ad (Q-IN-Q)
<pre class="vditor-yml-front-matter"><code class="language-yaml"># 1 **核心原理:802.1ad 与 802.1Q 在BPF眼里的异同**首先,你得明白,BPF的`vlan`关键字很聪明,它能同时理解802.1Q(EtherType `0x8100`)和802.1ad(EtherType `0x88a8`)。所以,我们昨天讨论的关于`vlan A and vlan B`的**位置决定论**在这里**完全适用**。
* 第一个 vlan 关键字:匹配最外层的标签,在802.1ad里就是 \*\*S-TAG (Service Tag)\*\*。
* 第二个 vlan 关键字:匹配内层的标签,在802.1ad里就是 \*\*C-TAG (Customer Tag)\*\*。
但是,如果你想更精确地只抓802.1ad的帧,而不抓普通的802.1Q,那我们就得用上它的专属“身份证号”——EtherType `0x88a8`。</code></pre>
<h2>1.1 <strong>802.1ad (QinQ) 常见抓包分析过滤语句</strong></h2>
<table>
<thead>
<tr>
<th>场景/目标 (Scenario / Goal)</th>
<th>BPF 捕获过滤器语法 (Capture Filter Syntax)</th>
<th>“说人话”解释</th>
</tr>
</thead>
<tbody>
<tr>
<td>1. 抓取所有802.1ad帧</td>
<td>ether proto 0x88a8</td>
<td>我不管你内外层VLAN是多少,只要是802.1ad这种套娃封装的,都给我抓出来。</td>
</tr>
<tr>
<td>2. 抓取特定外层S-TAG的流量</td>
<td>vlan 500</td>
<td>只要是运营商分配的S-TAG是500的流量,不管里面客户的C-TAG是啥,我都要。</td>
</tr>
<tr>
<td>3. 抓取特定内层C-TAG的流量</td>
<td>vlan and vlan 100</td>
<td>我不管外层运营商的S-TAG是啥,我只想看客户VLAN 100的流量。(注意:vlan and是用来占位的,确保vlan 100匹配的是第二层标签)</td>
</tr>
<tr>
<td>4. 抓取精确的S-TAG+C-TAG组合</td>
<td>vlan 500 and vlan 100</td>
<td>我就要看运营商S-TAG是500,里面客户C-TAG是100的这一家人的流量。</td>
</tr>
<tr>
<td>5. 抓取特定QinQ隧道内的IP流量</td>
<td>vlan 500 and vlan 100 and ip</td>
<td>在S-TAG 500、C-TAG 100这个隧道里,所有IP协议的流量都给我。</td>
</tr>
<tr>
<td>6. 抓取特定QinQ隧道内特定主机的流量</td>
<td>vlan 500 and vlan 100 and host 192.168.1.1</td>
<td>在S-TAG 500、C-TAG 100这个隧道里,我只想看跟192.168.1.1这台主机有关的通信。</td>
</tr>
</tbody>
</table>
<hr />
<h3>1.1.1 <strong>终极奥义:<code>vlan</code> vs <code>ether proto</code> 的细微差别</strong></h3>
<ul>
<li>vlan 500:这个过滤器会匹配任何最外层VLAN ID是500的帧,不管它是802.1Q还是802.1ad封装的。</li>
<li>ether proto 0x88a8 and vlan 500:这个过滤器则更精确,它只匹配802.1ad封装的、并且外层S-TAG是500的帧。</li>
</ul>
<p>在大多数情况下,<code>vlan</code>关键字已经足够好用。但如果你在一个复杂的环境里,需要严格区分802.1Q和802.1ad,那么组合使用 <code>ether proto</code>会更严谨。</p>
<hr />
<h1>2 纯BPF/libpcap过滤表达式(标准原语)分析802.1ad网络故障</h1>
<h2>2.1 一、802.1ad基础识别</h2>
<h3>2.1.1 1. <strong>802.1ad帧结构偏移</strong></h3>
<pre><code class="language-C">// 802.1ad帧结构(双标签)
| DMAC(6) | SMAC(6) | 外层TPID(0x88a8) | 外层TCI | 内层TPID(0x8100) | 内层TCI | EtherType | Payload |
// 偏移量: 0 6 12 14 16 18 20
// 检测802.1ad帧(外层S-VLAN)
ether = 0x88a8
// 检测802.1ad内层C-VLAN存在
ether = 0x88a8 and ether = 0x8100
// 检测单层802.1ad标签(无内层C-VLAN)
ether = 0x88a8 and ether != 0x8100 and ether != 0x88a8
</code></pre>
<h3>2.1.2 2. <strong>S-VLAN和C-VLAN ID提取</strong></h3>
<pre><code class="language-C">// 提取S-VLAN ID(外层标签)
ether = 0x88a8 and (ether & 0x0fff) = 100// S-VLAN ID 100
// 提取C-VLAN ID(内层标签)
ether = 0x88a8 and ether = 0x8100 and (ether & 0x0fff) = 200// C-VLAN ID 200
// 同时匹配S-VLAN和C-VLAN
ether = 0x88a8 and (ether & 0x0fff) = 100 and ether = 0x8100 and (ether & 0x0fff) = 200
</code></pre>
<hr />
<h2>2.2 二、802.1ad配置故障检测</h2>
<h3>2.2.1 1. <strong>标签配置错误</strong></h3>
<pre><code class="language-C">// 检测S-VLAN ID为0或4095(保留值)
ether = 0x88a8 and ((ether & 0x0fff) = 0 or (ether & 0x0fff) = 4095)
// 检测S-VLAN ID超出范围
ether = 0x88a8 and (ether & 0x0fff) > 4094
// 检测C-VLAN ID为0但非优先级标记
ether = 0x88a8 and ether = 0x8100 and (ether & 0x0fff) = 0 and (ether & 0xe000) = 0
// 检测三层802.1Q封装(错误的三重标签)
ether = 0x88a8 and ether = 0x8100 and ether = 0x8100
</code></pre>
<h3>2.2.2 2. <strong>选择性QinQ配置故障</strong></h3>
<pre><code class="language-C">// 检测应封装但未封装的C-VLAN
not ether = 0x88a8 and ether = 0x8100 and (ether & 0x0fff) = 100
// 检测不应封装但被封装的C-VLAN
ether = 0x88a8 and ether = 0x8100 and (ether & 0x0fff) = 1// VLAN 1通常不应封装
// 检测S-VLAN与C-VLAN映射错误(如:C-VLAN 100-200应映射到S-VLAN 10,但映射到了S-VLAN 20)
ether = 0x88a8 and (ether & 0x0fff) = 20 and ether = 0x8100 and
((ether & 0x0fff) >= 100 and (ether & 0x0fff) <= 200)
</code></pre>
<h3>2.2.3 3. <strong>MTU/帧大小问题</strong></h3>
<pre><code class="language-C">// 802.1ad增加8字节,检测可能超MTU的帧
ether = 0x88a8 and ether = 0x8100 and greater 1522
// 检测因802.1ad封装导致分片的IP包
ether = 0x88a8 and ether = 0x0800 and (ether & 0x1fff) > 1500// IP总长度大于1500
// 检测Jumbo帧与802.1ad兼容性
ether = 0x88a8 and greater 9000
</code></pre>
<hr />
<h2>2.3 三、QoS/优先级故障检测</h2>
<h3>2.3.1 1. <strong>S-VLAN优先级标记</strong></h3>
<pre><code class="language-C">// 检测S-VLAN优先级(PCP)标记
ether = 0x88a8 and (ether & 0xe0) = 0xe0// PCP=7(最高优先级)
// 检测语音流量在S-VLAN中的优先级
ether = 0x88a8 and (ether & 0xe0) != 0xe0 and ether = 0x0800 and
((ether & 0xfc) = 0xb8) and (ether >= 16384 and ether <= 32767)// DSCP EF + RTP端口
// 检测S-VLAN DEI标记异常
ether = 0x88a8 and (ether & 0x1000) != 0 and (ether & 0xe0) = 0x00// DEI=1但PCP=0
</code></pre>
<h3>2.3.2 2. <strong>C-VLAN到S-VLAN优先级映射</strong></h3>
<pre><code class="language-C">// 检测C-VLAN优先级未正确映射到S-VLAN
ether = 0x88a8 and ether = 0x8100 and
((ether & 0xe0) != (ether & 0xe0))// S-VLAN PCP != C-VLAN PCP
// 检测业务优先级映射(如:语音业务C-VLAN PCP=5应映射到S-VLAN PCP=5)
ether = 0x88a8 and ether = 0x8100 and (ether & 0xe0) = 0xa0 and (ether & 0xe0) != 0xa0
// 检测优先级重标记配置错误
ether = 0x88a8 and ether = 0x8100 and (ether & 0xe0) = 0x00 and (ether & 0xe0) > 0x00
</code></pre>
<hr />
<h2>2.4 四、协议相关故障检测</h2>
<h3>2.4.1 1. <strong>ARP在802.1ad中的问题</strong></h3>
<pre><code class="language-C">// 检测S-VLAN中的ARP请求但C-VLAN不同
ether = 0x88a8 and ether = 0x0806 and
((ether = 0x01) and (ether & 0xffffff00) != (ether & 0xffffff00))
// 检测Proxy ARP在802.1ad环境中的异常
ether = 0x88a8 and ether = 0x0806 and ether = 0x02 and
ether = ff:ff:ff:ff:ff:ff
// 检测Gratuitous ARP的VLAN不匹配
ether = 0x88a8 and ether = 0x0806 and ether = 0x01 and
ether = ether and (ether & 0xffffff00) != (ether & 0xffffff00)
</code></pre>
<h3>2.4.2 2. <strong>DHCP/BOOTP中继问题</strong></h3>
<pre><code class="language-C">// 检测DHCP Discover带Option 82在802.1ad中
ether = 0x88a8 and ether = 0x0800 and (ether & 0x0f) > 5 and
ether = 0x11 and ether = 68 and ether = 67 and
(ether = 0x0c or ether = 0x80)
// 检测DHCP中继代理未正确处理802.1ad标签
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether = 67 and ether = 255.255.255.255
// 检测DHCP服务器响应中的VLAN信息不匹配
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether = 68 and (ether & 0x80) = 0x00 and
(ether & 0x0fff) != (ether & 0x0fff)// S-VLAN ID != Option 82中的VLAN
</code></pre>
<h3>2.4.3 3. <strong>生成树协议在802.1ad中</strong></h3>
<pre><code class="language-C">// 检测MSTP在802.1ad中的BPDU
ether = 0x88a8 and ether = 0x4242 and ether = 0x03
// 检测RSTP BPDU在802.1ad中(可能配置错误)
ether = 0x88a8 and ether = 0x4242 and ether = 0x02
// 检测PVST+ BPDU在802.1ad中
ether = 0x88a8 and ether = 0x4242 and ether = 0x00 and
(ether & 0x0fff) != 1
</code></pre>
<hr />
<h2>2.5 五、服务提供商网络故障</h2>
<h3>2.5.1 1. <strong>运营商边界问题</strong></h3>
<pre><code class="language-C">// 检测用户侧发送的802.1ad帧(不应发生)
ether = 0x88a8 and ether = <用户设备MAC>
// 检测运营商网络内部泄露用户C-VLAN
ether = 0x88a8 and ether = 0x8100 and
((ether & 0x0fff) >= 2 and (ether & 0x0fff) <= 100)// 用户VLAN范围
// 检测多运营商互通时的TPID不匹配
ether = 0x88a8 and ether != 0x8100 and ether != 0x88a8 and
ether != 0x9100 and ether != 0x9200 and ether != 0x9300// 非标准TPID
</code></pre>
<h3>2.5.2 2. <strong>E-Line/E-LAN服务故障</strong></h3>
<pre><code class="language-C">// 检测E-Line(点到点)服务中的广播流量
ether = 0x88a8 and (ether & 0x0fff) = 100 and
ether = ff:ff:ff:ff:ff:ff
// 检测E-LAN(多点到多点)服务中的未知单播
ether = 0x88a8 and (ether & 0x0fff) = 200 and
(ether & 0x01) = 0x00 and not ether dst host <已知MAC>
// 检测VPLS中的水平分割违规
ether = 0x88a8 and ether = 0x0800 and
ether = ether// 源IP = 目的IP(环回)
</code></pre>
<h3>2.5.3 3. <strong>Q-in-Q与MAC-in-MAC交互</strong></h3>
<pre><code class="language-C">// 检测802.1ah (MAC-in-MAC) over 802.1ad
ether = 0x88a8 and ether = 0x88e7
// 检测PBB (802.1ah) 与Q-in-Q结合的问题
ether = 0x88a8 and ether = 0x88e7 and
(ether = 0x8100 or ether = 0x88a8)// PBB内的VLAN标签
</code></pre>
<hr />
<h2>2.6 六、安全攻击检测</h2>
<h3>2.6.1 1. <strong>VLAN跳跃/Q-in-Q攻击</strong></h3>
<pre><code class="language-C">// 检测恶意三重标签攻击
ether = 0x88a8 and ether = 0x8100 and ether = 0x8100
// 检测S-VLAN欺骗攻击
ether = 0x88a8 and (ether & 0x0fff) = 0 and
ether != <运营商设备MAC>
// 检测C-VLAN伪装攻击
ether = 0x88a8 and ether = 0x8100 and
(ether & 0x0fff) = 1 and (ether & 0x0fff) != 4095// C-VLAN 1但S-VLAN不是4095
</code></pre>
<h3>2.6.2 2. <strong>ARP欺骗在802.1ad环境</strong></h3>
<pre><code class="language-C">// 检测跨S-VLAN的ARP欺骗
ether = 0x88a8 and ether = 0x0806 and ether = 0x01 and
ether = ether and
((ether & 0xffffff00) != (ether & 0xffffff00))
// 检测网关ARP投毒在802.1ad中
ether = 0x88a8 and ether = 0x0806 and ether = 0x02 and
ether = <网关IP> and ether != <网关MAC>
</code></pre>
<h3>2.6.3 3. <strong>MAC地址泛洪攻击</strong></h3>
<pre><code class="language-C">// 检测S-VLAN内的MAC泛洪
ether = 0x88a8 and (ether & 0x0fff) = 100 and
(ether & 0x01) = 0x00// 源MAC不是多播
// 检测C-VLAN MAC泛洪影响S-VLAN
ether = 0x88a8 and ether = 0x8100 and
(ether & 0x01) = 0x00 and rate() > 10000/1s
</code></pre>
<hr />
<h2>2.7 七、性能与容量问题</h2>
<h3>2.7.1 1. <strong>广播风暴检测</strong></h3>
<pre><code class="language-C">// S-VLAN内广播风暴
ether = 0x88a8 and (ether & 0x0fff) = 100 and
ether = ff:ff:ff:ff:ff:ff
// C-VLAN广播泄漏到S-VLAN
ether = 0x88a8 and ether = 0x8100 and
ether = ff:ff:ff:ff:ff:ff
// 检测多播泛滥
ether = 0x88a8 and (ether & 0x01) = 0x01 and
ether != 0x3333 and ether != 0x0100// 排除IPv6和STP多播
</code></pre>
<h3>2.7.2 2. <strong>带宽与拥塞问题</strong></h3>
<pre><code class="language-C">// 检测高优先级流量拥塞
ether = 0x88a8 and (ether & 0xe0) = 0xe0 and
greater 1400 and rate() > 1000000/1s// 1Mpps
// 检测TCP重传在802.1ad环境中
ether = 0x88a8 and ether = 0x0800 and (ether & 0x0f) > 5 and
ether = 0x06 and (ether & 0x04) != 0// TCP RST
// 检测UDP丢包(通过序列号间隙)
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether >= 16384 and ether <= 32767// RTP端口范围
</code></pre>
<hr />
<h2>2.8 八、高级诊断表达式</h2>
<h3>2.8.1 1. <strong>运营商网络诊断</strong></h3>
<pre><code class="language-C">// 检测不同S-VLAN间的路由泄漏
ether = 0x88a8 and (ether & 0x0fff) = 10 and ether = 0x0800 and
(ether & 0xffffff00) = 192.168.20.0 and
(ether & 0xffffff00) = 192.168.30.0
// 检测MPLS over 802.1ad问题
ether = 0x88a8 and ether = 0x8847// MPLS unicast
ether = 0x88a8 and ether = 0x8848// MPLS multicast
// 检测VPLS控制平面问题
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether = 646 and ether = 646// LDP端口
</code></pre>
<h3>2.8.2 2. <strong>数据中心互联(DCI)</strong></h3>
<pre><code class="language-C">// 检测VXLAN over 802.1ad
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether = 4789// VXLAN端口
// 检测NVGRE over 802.1ad
ether = 0x88a8 and ether = 0x0800 and (ether & 0x0f) > 5 and
ether = 0x2f// IPv4协议号47 (GRE)
// 检测STT over 802.1ad
ether = 0x88a8 and ether = 0x0800 and ether = 0x06 and
ether = 7471// STT端口
</code></pre>
<h3>2.8.3 3. <strong>移动承载网络</strong></h3>
<pre><code class="language-C">// 检测GTP-U over 802.1ad
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
(ether = 2152 or ether = 2152)// GTP-U端口
// 检测同步以太网(SyncE)在802.1ad中
ether = 0x88a8 and ether = 0x0800 and ether = 0x11 and
ether = 319 and ether = 320// PTP事件和通用消息
// 检测1588 PTP在802.1ad中的优先级
ether = 0x88a8 and (ether & 0xe0) != 0xe0 and
ether = 0x0800 and ether = 0x11 and
(ether = 319 or ether = 320)
</code></pre>
<hr />
<h2>2.9 九、优化与调试技巧</h2>
<h3>2.9.1 1. <strong>性能优化表达式</strong></h3>
<pre><code class="language-C">// 只捕获特定S-VLAN的特定协议
ether = 0x88a8 and (ether & 0x0fff) = 100 and
(ether = 0x0800 or ether = 0x0806 or ether = 0x86dd)
// 排除广播/多播以关注单播问题
ether = 0x88a8 and (ether & 0x01) = 0x00
// 采样捕获以减少负载
ether = 0x88a8 and (random() & 0xff) < 25// 约10%采样率
</code></pre>
<h3>2.9.2 2. <strong>调试特定问题</strong></h3>
<pre><code class="language-C">// 调试S-VLAN 100的连通性问题
ether = 0x88a8 and (ether & 0x0fff) = 100 and
(ether = 0x0806 or (ether = 0x0800 and
(ether = <源IP> or ether = <目的IP>)))
// 调试QoS标记问题
ether = 0x88a8 and ((ether & 0xe0) = 0x00 or (ether & 0xe0) = 0xe0)
// 调试MTU相关问题
ether = 0x88a8 and greater 1500 and
(ether = 0x0800 and (ether & 0x1fff) > 1500)
</code></pre>
<p>这些纯BPF表达式完全使用标准原语和偏移量计算,不依赖vlan1/vlan2等扩展原语,可以在所有标准libpcap实现中使用。通过组合这些表达式,可以高效诊断802.1ad网络中的各种故障。</p>
页:
[1]