zephyr/samples/net/capture
..
src
CMakeLists.txt
README.rst
prj.conf
sample.yaml

README.rst

.. _net-capture-sample:

Network Packet Capture
######################

Overview
********

This application will setup the device so that net-shell can be used
to enable network packet capture. The captured packets are sent to
remote host via IPIP tunnel. The tunnel can be configured to be in the
same connection as what we are capturing packets or it can be a separate
bearer. For example if you are capturing network traffic for interface 1,
then the remote host where the captured packets are sent can also be reached
via interface 1 or via some other network interface if the device has
multiple network interfaces connected.

Requirements
************

- :ref:`networking_with_host`

Building and Running
********************

Build the sample application like this:

.. zephyr-app-commands::
   :zephyr-app: samples/net/capture
   :board: <board to use>
   :conf: <config file to use>
   :goals: build
   :compact:


Network Configuration
*********************

The ``net-tools`` project contains ``net-setup.sh`` script that can be used to setup
the tunneling.

In terminal #1, type:

.. code-block:: console

   ./net-setup.sh -c zeth-tunnel.conf

The script will create following network interfaces:

.. code-block:: console

   zeth: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.0.2.2  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 2001:db8::2  prefixlen 128  scopeid 0x0<global>
        ether 00:00:5e:00:53:ff  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

   zeth-ip6ip: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
        inet6 2001:db8:200::2  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::c000:202  prefixlen 64  scopeid 0x20<link>
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

   zeth-ip6ip6: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1452
        inet6 fe80::486c:eeff:fead:5d11  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:100::2  prefixlen 64  scopeid 0x0<global>
        unspec 20-01-0D-B8-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 8  dropped 8 overruns 0  carrier 8  collisions 0

   zeth-ipip: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
        inet 198.51.100.2  netmask 255.255.255.0  destination 198.51.100.2
        inet6 fe80::5efe:c000:202  prefixlen 64  scopeid 0x20<link>
        tunnel   txqueuelen 1000  (IPIP Tunnel)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 7  dropped 0 overruns 0  carrier 0  collisions 0

   zeth-ipip6: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1452
        inet 203.0.113.2  netmask 255.255.255.0  destination 203.0.113.2
        inet6 fe80::387b:a6ff:fe56:6cac  prefixlen 64  scopeid 0x20<link>
        unspec 20-01-0D-B8-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 7  dropped 7 overruns 0  carrier 0  collisions 0

The ``zeth`` is the outer tunnel interface, all the packets go via it.
The other interfaces receive packets depending on the configuration you have
in the Zephyr side.

Network Capture Configuration
=============================

In Zephyr console, type:

.. code-block:: console

   uart:~$ net iface

   Interface 0x807df74 (Virtual) [1]
   =================================
   Interface is down.

   Interface 0x807e040 (Ethernet) [2]
   ==================================
   Link addr : 02:00:5E:00:53:3B
   MTU       : 1452
   Flags     : AUTO_START,IPv4,IPv6
   Ethernet capabilities supported:
   IPv6 unicast addresses (max 4):
        fe80::5eff:fe00:533b autoconf preferred infinite
        2001:db8::1 manual preferred infinite
   IPv6 multicast addresses (max 4):
        ff02::1
        ff02::1:ff00:533b
        ff02::1:ff00:1
   IPv6 prefixes (max 2):
        <none>
   IPv6 hop limit           : 64
   IPv6 base reachable time : 30000
   IPv6 reachable time      : 43300
   IPv6 retransmit timer    : 0
   IPv4 unicast addresses (max 2):
        192.0.2.1 manual preferred infinite
   IPv4 multicast addresses (max 1):
        <none>
   IPv4 gateway : 0.0.0.0
   IPv4 netmask : 255.255.255.0

Next the monitoring is setup so that captured packets are sent as a payload
in IPv6/UDP packets.

.. code-block:: console

   uart:~$ net capture setup 192.0.2.2 2001:db8:200::1 2001:db8:200::2
   Capture setup done, next enable it by "net capture enable <idx>"

The ``net capture`` command will show current configuration. As we have not
yet enabled capturing, the interface is not yet set.

.. code-block:: console

   uart:~$ net capture
   Network packet capture disabled
                   Capture  Tunnel
   Device          iface    iface   Local                  Peer
   NET_CAPTURE0    -        1      [2001:db8:200::1]:4242  [2001:db8:200::2]:4242

Next enable network packet capturing for interface 2.

.. code-block:: console

   uart:~$ net capture enable 2

The tunneling interface will be UP and the captured packets will be sent to
peer host.

.. code-block:: console

   uart:~$ net iface 1

   Interface 0x807df74 (Virtual) [1]
   =================================
   Name      : IPv4 tunnel
   Attached  : 2 (Ethernet / 0x807e040)
   Link addr : 8E:F9:94:6D:B9:E6
   MTU       : 1452
   Flags     : POINTOPOINT,NO_AUTO_START,IPv6
   IPv6 unicast addresses (max 4):
        fe80::aee6:fbff:fe50:28c0 autoconf preferred infinite
        2001:db8:200::1 manual preferred infinite
   IPv6 multicast addresses (max 4):
        <none>
   IPv6 prefixes (max 2):
        <none>
   IPv6 hop limit           : 64
   IPv6 base reachable time : 30000
   IPv6 reachable time      : 22624
   IPv6 retransmit timer    : 0
   IPv4 not enabled for this interface.

If you now do this:

.. code-block:: console

   uart:~$ net ping -c 1 192.0.2.2

You should see a ICMPv4 message sent to ``192.0.2.2`` and also the captured
packet will be sent to ``192.0.2.2`` in tunnel to ``2001:db8:200::2``
address. The UDP port is by default ``4242`` but that can be changed when
setting the tunnel endpoint address.

The actual captured network packets received at the end of the tunnel will look
like this:

.. code-block:: console

   No.     Time           Source                Destination           Protocol Length Info
        34 106.078538049  192.0.2.1             192.0.2.2             ICMP     94     Echo (ping) request  id=0xdc36, seq=0/0, ttl=64 (reply in 35)

   Frame 34: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface zeth-ip6ip, id 0
   Raw packet data
   Internet Protocol Version 6, Src: 2001:db8:200::1, Dst: 2001:db8:200::2
   User Datagram Protocol, Src Port: 4242, Dst Port: 4242
   Ethernet II, Src: 02:00:5e:00:53:3b (02:00:5e:00:53:3b), Dst: ICANNIAN_00:53:ff (00:00:5e:00:53:ff)
   Internet Protocol Version 4, Src: 192.0.2.1, Dst: 192.0.2.2
   Internet Control Message Protocol

   No.     Time           Source                Destination           Protocol Length Info
        35 106.098850599  192.0.2.2             192.0.2.1             ICMP     94     Echo (ping) reply    id=0xdc36, seq=0/0, ttl=64 (request in 34)

   Frame 35: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface zeth-ip6ip, id 0
   Raw packet data
   Internet Protocol Version 6, Src: 2001:db8:200::1, Dst: 2001:db8:200::2
   User Datagram Protocol, Src Port: 4242, Dst Port: 4242
   Ethernet II, Src: ICANNIAN_00:53:ff (00:00:5e:00:53:ff), Dst: 02:00:5e:00:53:3b (02:00:5e:00:53:3b)
   Internet Protocol Version 4, Src: 192.0.2.2, Dst: 192.0.2.1
   Internet Control Message Protocol