)
推荐阅读:
1、EVE-NG 2TB全网最新最全镜像下载地址(保持更新):
https://www.emulatedlab.com/thread-939-1-1.html2、EVE-NG 2025全网最新最全资源大全(保持更新):
https://www.emulatedlab.com/thread-2262-1-1.html3、EVE-NG 国代答疑频道(免费公开访问):
https://pd.qq.com/s/8d1hglslz1核心原理:802.1ad 与 802.1Q 在BPF眼里的异同
首先,你得明白,BPF的vlan关键字很聪明,它能同时理解802.1Q(EtherType0x8100)和802.1ad(EtherType0x88a8)。所以,我们昨天讨论的关于vlan A and vlan B的位置决定论在这里完全适用。
- 第一个
vlan关键字:匹配最外层的标签,在802.1ad里就是S-TAG (Service Tag)。 - 第二个
vlan关键字:匹配内层的标签,在802.1ad里就是C-TAG (Customer Tag)。
但是,如果你想更精确地只抓802.1ad的帧,而不抓普通的802.1Q,那我们就得用上它的专属“身份证号”——EtherType0x88a8。
1.1802.1ad (QinQ) 常见抓包分析过滤语句
| 场景/目标 (Scenario / Goal) | BPF 捕获过滤器语法 (Capture Filter Syntax) | “说人话”解释 |
|---|---|---|
| 1. 抓取所有802.1ad帧 | ether proto 0x88a8 | 我不管你内外层VLAN是多少,只要是802.1ad这种套娃封装的,都给我抓出来。 |
| 2. 抓取特定外层S-TAG的流量 | vlan 500 | 只要是运营商分配的S-TAG是500的流量,不管里面客户的C-TAG是啥,我都要。 |
| 3. 抓取特定内层C-TAG的流量 | vlan and vlan 100 | 我不管外层运营商的S-TAG是啥,我只想看客户VLAN 100的流量。(注意:vlan and是用来占位的,确保vlan 100匹配的是第二层标签) |
| 4. 抓取精确的S-TAG+C-TAG组合 | vlan 500 and vlan 100 | 我就要看运营商S-TAG是500,里面客户C-TAG是100的这一家人的流量。 |
| 5. 抓取特定QinQ隧道内的IP流量 | vlan 500 and vlan 100 and ip | 在S-TAG 500、C-TAG 100这个隧道里,所有IP协议的流量都给我。 |
| 6. 抓取特定QinQ隧道内特定主机的流量 | vlan 500 and vlan 100 and host 192.168.1.1 | 在S-TAG 500、C-TAG 100这个隧道里,我只想看跟192.168.1.1这台主机有关的通信。 |
1.1.1终极奥义:vlanvsether proto的细微差别
vlan 500:这个过滤器会匹配任何最外层VLAN ID是500的帧,不管它是802.1Q还是802.1ad封装的。ether proto 0x88a8 and vlan 500:这个过滤器则更精确,它只匹配802.1ad封装的、并且外层S-TAG是500的帧。
在大多数情况下,vlan关键字已经足够好用。但如果你在一个复杂的环境里,需要严格区分802.1Q和802.1ad,那么组合使用ether proto会更严谨。
2 纯BPF/libpcap过滤表达式(标准原语)分析802.1ad网络故障
2.1 一、802.1ad基础识别
2.1.1 1.802.1ad帧结构偏移
// 802.1ad帧结构(双标签) | DMAC(6) | SMAC(6) | 外层TPID(0x88a8) | 外层TCI | 内层TPID(0x8100) | 内层TCI | EtherType | Payload | // 偏移量: 0 6 12 14 16 18 20 // 检测802.1ad帧(外层S-VLAN) ether[12:2] = 0x88a8 // 检测802.1ad内层C-VLAN存在 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 // 检测单层802.1ad标签(无内层C-VLAN) ether[12:2] = 0x88a8 and ether[16:2] != 0x8100 and ether[16:2] != 0x88a82.1.2 2.S-VLAN和C-VLAN ID提取
// 提取S-VLAN ID(外层标签) ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 // S-VLAN ID 100 // 提取C-VLAN ID(内层标签) ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[18:2] & 0x0fff) = 200 // C-VLAN ID 200 // 同时匹配S-VLAN和C-VLAN ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and ether[16:2] = 0x8100 and (ether[18:2] & 0x0fff) = 2002.2 二、802.1ad配置故障检测
2.2.1 1.标签配置错误
// 检测S-VLAN ID为0或4095(保留值) ether[12:2] = 0x88a8 and ((ether[14:2] & 0x0fff) = 0 or (ether[14:2] & 0x0fff) = 4095) // 检测S-VLAN ID超出范围 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) > 4094 // 检测C-VLAN ID为0但非优先级标记 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[18:2] & 0x0fff) = 0 and (ether[18:2] & 0xe000) = 0 // 检测三层802.1Q封装(错误的三重标签) ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and ether[20:2] = 0x81002.2.2 2.选择性QinQ配置故障
// 检测应封装但未封装的C-VLAN not ether[12:2] = 0x88a8 and ether[12:2] = 0x8100 and (ether[14:2] & 0x0fff) = 100 // 检测不应封装但被封装的C-VLAN ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[18:2] & 0x0fff) = 1 // VLAN 1通常不应封装 // 检测S-VLAN与C-VLAN映射错误(如:C-VLAN 100-200应映射到S-VLAN 10,但映射到了S-VLAN 20) ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 20 and ether[16:2] = 0x8100 and ((ether[18:2] & 0x0fff) >= 100 and (ether[18:2] & 0x0fff) <= 200)2.2.3 3.MTU/帧大小问题
// 802.1ad增加8字节,检测可能超MTU的帧 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and greater 1522 // 检测因802.1ad封装导致分片的IP包 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and (ether[22:2] & 0x1fff) > 1500 // IP总长度大于1500 // 检测Jumbo帧与802.1ad兼容性 ether[12:2] = 0x88a8 and greater 90002.3 三、QoS/优先级故障检测
2.3.1 1.S-VLAN优先级标记
// 检测S-VLAN优先级(PCP)标记 ether[12:2] = 0x88a8 and (ether[14:1] & 0xe0) = 0xe0 // PCP=7(最高优先级) // 检测语音流量在S-VLAN中的优先级 ether[12:2] = 0x88a8 and (ether[14:1] & 0xe0) != 0xe0 and ether[20:2] = 0x0800 and ((ether[22:1] & 0xfc) = 0xb8) and (ether[30:2] >= 16384 and ether[30:2] <= 32767) // DSCP EF + RTP端口 // 检测S-VLAN DEI标记异常 ether[12:2] = 0x88a8 and (ether[14:2] & 0x1000) != 0 and (ether[14:1] & 0xe0) = 0x00 // DEI=1但PCP=02.3.2 2.C-VLAN到S-VLAN优先级映射
// 检测C-VLAN优先级未正确映射到S-VLAN ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and ((ether[14:1] & 0xe0) != (ether[18:1] & 0xe0)) // S-VLAN PCP != C-VLAN PCP // 检测业务优先级映射(如:语音业务C-VLAN PCP=5应映射到S-VLAN PCP=5) ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[18:1] & 0xe0) = 0xa0 and (ether[14:1] & 0xe0) != 0xa0 // 检测优先级重标记配置错误 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[14:1] & 0xe0) = 0x00 and (ether[18:1] & 0xe0) > 0x002.4 四、协议相关故障检测
2.4.1 1.ARP在802.1ad中的问题
// 检测S-VLAN中的ARP请求但C-VLAN不同 ether[12:2] = 0x88a8 and ether[20:2] = 0x0806 and ((ether[24:1] = 0x01) and (ether[34:4] & 0xffffff00) != (ether[44:4] & 0xffffff00)) // 检测Proxy ARP在802.1ad环境中的异常 ether[12:2] = 0x88a8 and ether[20:2] = 0x0806 and ether[24:1] = 0x02 and ether[30:6] = ff:ff:ff:ff:ff:ff // 检测Gratuitous ARP的VLAN不匹配 ether[12:2] = 0x88a8 and ether[20:2] = 0x0806 and ether[24:1] = 0x01 and ether[34:4] = ether[44:4] and (ether[38:4] & 0xffffff00) != (ether[34:4] & 0xffffff00)2.4.2 2.DHCP/BOOTP中继问题
// 检测DHCP Discover带Option 82在802.1ad中 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and (ether[22:1] & 0x0f) > 5 and ether[27:1] = 0x11 and ether[32:2] = 68 and ether[34:2] = 67 and (ether[54:1] = 0x0c or ether[56:1] = 0x80) // 检测DHCP中继代理未正确处理802.1ad标签 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] = 67 and ether[22:16:4] = 255.255.255.255 // 检测DHCP服务器响应中的VLAN信息不匹配 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] = 68 and (ether[22:1] & 0x80) = 0x00 and (ether[14:2] & 0x0fff) != (ether[64:2] & 0x0fff) // S-VLAN ID != Option 82中的VLAN2.4.3 3.生成树协议在802.1ad中
// 检测MSTP在802.1ad中的BPDU ether[12:2] = 0x88a8 and ether[20:2] = 0x4242 and ether[22:1] = 0x03 // 检测RSTP BPDU在802.1ad中(可能配置错误) ether[12:2] = 0x88a8 and ether[20:2] = 0x4242 and ether[22:1] = 0x02 // 检测PVST+ BPDU在802.1ad中 ether[12:2] = 0x88a8 and ether[20:2] = 0x4242 and ether[22:1] = 0x00 and (ether[14:2] & 0x0fff) != 12.5 五、服务提供商网络故障
2.5.1 1.运营商边界问题
// 检测用户侧发送的802.1ad帧(不应发生) ether[12:2] = 0x88a8 and ether[0:6] = <用户设备MAC> // 检测运营商网络内部泄露用户C-VLAN ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and ((ether[18:2] & 0x0fff) >= 2 and (ether[18:2] & 0x0fff) <= 100) // 用户VLAN范围 // 检测多运营商互通时的TPID不匹配 ether[12:2] = 0x88a8 and ether[16:2] != 0x8100 and ether[16:2] != 0x88a8 and ether[16:2] != 0x9100 and ether[16:2] != 0x9200 and ether[16:2] != 0x9300 // 非标准TPID2.5.2 2.E-Line/E-LAN服务故障
// 检测E-Line(点到点)服务中的广播流量 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and ether[0:6] = ff:ff:ff:ff:ff:ff // 检测E-LAN(多点到多点)服务中的未知单播 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 200 and (ether[0:1] & 0x01) = 0x00 and not ether dst host <已知MAC> // 检测VPLS中的水平分割违规 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[22:12:4] = ether[22:16:4] // 源IP = 目的IP(环回)2.5.3 3.Q-in-Q与MAC-in-MAC交互
// 检测802.1ah (MAC-in-MAC) over 802.1ad ether[12:2] = 0x88a8 and ether[20:2] = 0x88e7 // 检测PBB (802.1ah) 与Q-in-Q结合的问题 ether[12:2] = 0x88a8 and ether[20:2] = 0x88e7 and (ether[30:2] = 0x8100 or ether[30:2] = 0x88a8) // PBB内的VLAN标签2.6 六、安全攻击检测
2.6.1 1.VLAN跳跃/Q-in-Q攻击
// 检测恶意三重标签攻击 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and ether[20:2] = 0x8100 // 检测S-VLAN欺骗攻击 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 0 and ether[0:6] != <运营商设备MAC> // 检测C-VLAN伪装攻击 ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[18:2] & 0x0fff) = 1 and (ether[14:2] & 0x0fff) != 4095 // C-VLAN 1但S-VLAN不是40952.6.2 2.ARP欺骗在802.1ad环境
// 检测跨S-VLAN的ARP欺骗 ether[12:2] = 0x88a8 and ether[20:2] = 0x0806 and ether[24:1] = 0x01 and ether[34:4] = ether[44:4] and ((ether[38:4] & 0xffffff00) != (ether[34:4] & 0xffffff00)) // 检测网关ARP投毒在802.1ad中 ether[12:2] = 0x88a8 and ether[20:2] = 0x0806 and ether[24:1] = 0x02 and ether[34:4] = <网关IP> and ether[34:6] != <网关MAC>2.6.3 3.MAC地址泛洪攻击
// 检测S-VLAN内的MAC泛洪 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and (ether[6:1] & 0x01) = 0x00 // 源MAC不是多播 // 检测C-VLAN MAC泛洪影响S-VLAN ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and (ether[6:1] & 0x01) = 0x00 and rate() > 10000/1s2.7 七、性能与容量问题
2.7.1 1.广播风暴检测
// S-VLAN内广播风暴 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and ether[0:6] = ff:ff:ff:ff:ff:ff // C-VLAN广播泄漏到S-VLAN ether[12:2] = 0x88a8 and ether[16:2] = 0x8100 and ether[0:6] = ff:ff:ff:ff:ff:ff // 检测多播泛滥 ether[12:2] = 0x88a8 and (ether[0:1] & 0x01) = 0x01 and ether[0:2] != 0x3333 and ether[0:2] != 0x0100 // 排除IPv6和STP多播2.7.2 2.带宽与拥塞问题
// 检测高优先级流量拥塞 ether[12:2] = 0x88a8 and (ether[14:1] & 0xe0) = 0xe0 and greater 1400 and rate() > 1000000/1s // 1Mpps // 检测TCP重传在802.1ad环境中 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and (ether[22:1] & 0x0f) > 5 and ether[27:1] = 0x06 and (ether[37:1] & 0x04) != 0 // TCP RST // 检测UDP丢包(通过序列号间隙) ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] >= 16384 and ether[32:2] <= 32767 // RTP端口范围2.8 八、高级诊断表达式
2.8.1 1.运营商网络诊断
// 检测不同S-VLAN间的路由泄漏 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 10 and ether[20:2] = 0x0800 and (ether[22:12:4] & 0xffffff00) = 192.168.20.0 and (ether[22:16:4] & 0xffffff00) = 192.168.30.0 // 检测MPLS over 802.1ad问题 ether[12:2] = 0x88a8 and ether[20:2] = 0x8847 // MPLS unicast ether[12:2] = 0x88a8 and ether[20:2] = 0x8848 // MPLS multicast // 检测VPLS控制平面问题 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] = 646 and ether[34:2] = 646 // LDP端口2.8.2 2.数据中心互联(DCI)
// 检测VXLAN over 802.1ad ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] = 4789 // VXLAN端口 // 检测NVGRE over 802.1ad ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and (ether[22:1] & 0x0f) > 5 and ether[27:1] = 0x2f // IPv4协议号47 (GRE) // 检测STT over 802.1ad ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x06 and ether[32:2] = 7471 // STT端口2.8.3 3.移动承载网络
// 检测GTP-U over 802.1ad ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and (ether[32:2] = 2152 or ether[34:2] = 2152) // GTP-U端口 // 检测同步以太网(SyncE)在802.1ad中 ether[12:2] = 0x88a8 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and ether[32:2] = 319 and ether[34:2] = 320 // PTP事件和通用消息 // 检测1588 PTP在802.1ad中的优先级 ether[12:2] = 0x88a8 and (ether[14:1] & 0xe0) != 0xe0 and ether[20:2] = 0x0800 and ether[27:1] = 0x11 and (ether[32:2] = 319 or ether[32:2] = 320)2.9 九、优化与调试技巧
2.9.1 1.性能优化表达式
// 只捕获特定S-VLAN的特定协议 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and (ether[20:2] = 0x0800 or ether[20:2] = 0x0806 or ether[20:2] = 0x86dd) // 排除广播/多播以关注单播问题 ether[12:2] = 0x88a8 and (ether[0:1] & 0x01) = 0x00 // 采样捕获以减少负载 ether[12:2] = 0x88a8 and (random() & 0xff) < 25 // 约10%采样率2.9.2 2.调试特定问题
// 调试S-VLAN 100的连通性问题 ether[12:2] = 0x88a8 and (ether[14:2] & 0x0fff) = 100 and (ether[20:2] = 0x0806 or (ether[20:2] = 0x0800 and (ether[22:12:4] = <源IP> or ether[22:16:4] = <目的IP>))) // 调试QoS标记问题 ether[12:2] = 0x88a8 and ((ether[14:1] & 0xe0) = 0x00 or (ether[14:1] & 0xe0) = 0xe0) // 调试MTU相关问题 ether[12:2] = 0x88a8 and greater 1500 and (ether[20:2] = 0x0800 and (ether[22:2] & 0x1fff) > 1500)这些纯BPF表达式完全使用标准原语和偏移量计算,不依赖vlan1/vlan2等扩展原语,可以在所有标准libpcap实现中使用。通过组合这些表达式,可以高效诊断802.1ad网络中的各种故障。
