I am looking into writing a Wireshark plugin to handle the Layer 3 DSR (Direct Server Return) scheme we are using. Currently traffic cannot be reassembled due to the load balancing scheme we are using.
What happens is that based on various DSCP bits, an incoming packet will get its destination address rewritten (via iptables) to match that of the load balancer. This combined with an alias on the loopback interface allows a host behind the load balancer to accept traffic coming from the load balancer, and the reply packet goes directly to the client.
My question is whether this can even be done in a plugin. I suspect that I may have to modify the packet reassembly code to support to a DSCP-bit->IP lookup table to perform the same address rewrite done on the servers so that the streams can be properly reassembled.
asked 27 Sep '10, 18:48
edited 27 Sep '10, 18:49
I used the wrong terminology. My problem is not with reassembly, but with building the conversation. After spending some time looking at the code, it looks like it is technically possible to modify find_conversation() to support a conditionally rewritten address, but it appears such a change would cause numerous problems in other parts of the code like SSL decryption. I took the easy way out of whipped up a tool with libpcap to take an existing trace file and perform the same mangle operations done by iptables on the server. This new trace file can then be handled as usual by Wireshark.
answered 07 Oct '10, 08:33