[NSX] How to decode "Trace the drop packet" message

Networking

[NSX] How to decode "Trace the drop packet" message

haewon83 2024. 5. 10. 21:17

NSX Edge에서 Packet Drop이 발생한 경우 syslog에 "Trace the drop packet"과 함께 Base64로 Encode된 값이 기록됩니다.

이 값을 Decode 해보면 src/dst ip address 등 drop 된 packet에 대한 정보를 확인할 수 있습니다.

이를 수동으로 진행하는 방법을 알아보겠습니다.

아래 예제는 Windows OS에서 실행하였습니다.
1. 우선 python이 설치되어 있어야 합니다.

2. pip 도구로 scapy를 설치합니다.

C:\Users\jhaewon>pip install scapy
Collecting scapy
  Downloading scapy-2.5.0.tar.gz (1.3 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.3/1.3 MB 3.9 MB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: scapy
  Building wheel for scapy (pyproject.toml) ... done
  Created wheel for scapy: filename=scapy-2.5.0-py2.py3-none-any.whl size=1444339 sha256=4664b131637f02ad5fe2e62dfdb0d00fb7e669e1d39f801c1031fdfad6679a5b
  Stored in directory: c:\users\jhaewon\appdata\local\pip\cache\wheels\11\ff\28\a1348d0c6d006242c053521732bc2951d0c9eca62a11430da1
Successfully built scapy
Installing collected packages: scapy
  WARNING: The script scapy.exe is installed in 'C:\Users\jhaewon\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\LocalCache\local-packages\Python311\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed scapy-2.5.0

3. 다음 순서대로 python에서 base64 decode를 진행합니다.

아래 결과 처럼 src/dst ip/port 정보가 확인됩니다.

Packet Drop이 발생하는 것으로 의심되는 경우 syslog를 확인하신 후 "Trace the drop packet" 메시지가 기록되고 있을 때 이를 decode하여 자세한 내용을 확인해 볼 수 있습니다.

./var/log/syslog

$ grep "Trace the drop packet" syslog*
syslog:2024-04-28T13:41:21.424Z ### NSX 7888 ROUTING [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="ip" level="INFO"] Trace the drop packet @1028: RQAAPF2ZQAA7BvRAZ1Fr/mtjry+zjQBQaEXMpwAAAACgAnIQlOoAAAIEBbQEAggKJPBFaAAAAAABAwMH

C:\Users\jhaewon\Downloads>python
Python 3.11.9 (tags/v3.11.9:de54cf5, Apr 2 2024, 10:12:12) [MSC v.1938 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> from scapy.all import *
WARNING: Wireshark is installed, but cannot read manuf !
>>> s = 'RQAAPF2ZQAA7BvRAZ1Fr/mtjry+zjQBQaEXMpwAAAACgAnIQlOoAAAIEBbQEAggKJPBFaAAAAAABAwMH'
>>> d = base64.b64decode(s)
>>> i = IP(d)
>>> i
<IP version=4 ihl=5 tos=0x0 len=60 id=23961 flags=DF frag=0 ttl=59 proto=tcp chksum=0xf440 src=x.x.x.x dst=x.x.x.x |<TCP sport=x dport=x seq=x ack=0 dataofs=10 reserved=0 flags=S window=x chksum=0x94ea urgptr=0 options=[('MSS', 1460), ('SAckOK', b''), ('Timestamp', (x, 0)), ('NOP', None), ('WScale', 7)] |>>