-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Goreplay not capturing actual user traffic that’s reaching varnish (port: 8983) #1246
Comments
Hey @Udaykumar519, great to see you back here! Hope you've been doing well. Based on the information you've provided, there could be several reasons why GoReplay is not capturing actual user traffic from port 8983. Here are some potential causes:
Without more specific details on how GoReplay is configured and deployed, these are general areas to investigate. Ensure that GoReplay's configuration aligns with the network topology and the specifics of the traffic you're trying to capture. For more information, you can refer to the GoReplay source code, specifically the internal/capture/capture.go file, which contains the implementation details of the traffic capturing functionality. If you could provide more details about your GoReplay configuration and deployment, it would be easier to diagnose the issue. For example, are there any error messages in the GoReplay logs? What is the exact command you're using to start GoReplay? What is the network topology where GoReplay is deployed? Sources
|
In the architecture mentioned above, i would like to give some more details which might help Here, varnish i mentioned is behind Load balancer, you can assume as below pinpointed issue: But when the user request comes to varnish through Load Balancer, gor is not capturing it |
@Udaykumar519 if you can capture "pcap" file using tcpdump it can help replicate the issue, and fix it. Thanks! |
@buger May i know probable issues due to which goreplay is not listening when the request is reached through Load Balancer? so that we will get some direction to debug |
I believe there could be issue with network interface mismatch, I would recommend trying this argument: --input-raw-bpf-filter "dst port 8983" |
Heyy @buger ! Thanks, its listening now when used below command: One small observation: |
@dosu-bot any suggestion on message above? Can you adjust bpf filter, so it will not listen of outgoing requests? |
To capture only the incoming traffic on port 8983 and exclude the outgoing traffic, you can refine your BPF filter with the command: sudo ./gor --input-raw :8983 --input-raw-bpf-filter "dst port 8983 and inbound" --output-stdout This command ensures that GoReplay listens only to incoming requests directed to port 8983, effectively filtering out the outgoing requests from the server on the same port. The It's important to note that the effectiveness of this command can depend on your specific network setup and the platform GoReplay is running on. If you encounter any issues or the traffic is not filtered as expected, you might need to adjust the BPF expression to better suit your environment. Regarding the options If you have further questions or need additional clarification, feel free to ask. Sources
|
Thanks a lot, @buger Asking out of curiosity, can you pls help me understand difference between below 2 goreplay commands?
|
@dosu-bot i may need a bit of your help here. Check the source code and show me the format of bpf filter which it generates by default, with example. And use it to explain difference between those 2 commands. |
The difference between the two GoReplay commands you've mentioned primarily lies in the use of the Berkeley Packet Filter (BPF) syntax to specify which traffic to capture.
Regarding the default behavior of GoReplay when no GoReplay utilizes the It's important to note that GoReplay does not explicitly differentiate between inbound and outbound traffic when applying the BPF filter. The directionality must be specified as part of the BPF expression itself, as seen in the first command. The This explanation should help you understand how GoReplay captures packets and the impact of specifying a BPF filter on the traffic that is captured. If you have further questions or need more information, feel free to ask. Sources
|
Ok, seems like time for a human to answer :)
Basically you receive the whole traffic, sometimes from multiple
interfaces, sometimes single interface can have multiple ips. So GoReplays
tries to create such bpf rule that it will catch only what you want.
However when it comes to varnish setup, ip of incoming user traffic in tcp
packet does not always match ip of interface…
Пн, 1 апр. 2024 г. в 11:48, dosubot[bot] ***@***.***>:
The difference between the two GoReplay commands you've mentioned
primarily lies in the use of the Berkeley Packet Filter (BPF) syntax to
specify which traffic to capture.
1.
The command sudo ./gor --input-raw :8983 --input-raw-bpf-filter "dst
port 8983 and inbound" --output-stdout uses a BPF filter to capture
only inbound traffic destined for port 8983. This is achieved by specifying "dst
port 8983 and inbound" in the BPF filter, which tells GoReplay to
listen for packets where the destination port is 8983 and the direction is
inbound, effectively filtering out any outbound traffic from the server on
the same port.
2.
On the other hand, the command sudo ./gor --input-raw :8983
--output-stdout without specifying a BPF filter captures all packets
that GoReplay has permission to see on port 8983, including both inbound
and outbound traffic. In the absence of a specific BPF filter, GoReplay
does not apply any additional filtering criteria, capturing all traffic it
can access on the specified port.
Regarding the default behavior of GoReplay when no --input-raw-bpf-filter
argument is provided, it typically captures all packets on the specified
port(s) without additional filtering, unless default filtering criteria are
defined by the tool itself. However, the exact default BPF filter format
GoReplay uses in this scenario is not explicitly documented.
GoReplay utilizes the capture package for packet capturing, with the
EnginePcap engine being a key component in this process. The --input-raw
argument initializes a RAWInput instance with specific network address
and configuration, including the packet capture engine and protocol to
capture. The --input-raw-bpf-filter argument allows users to directly
specify a BPF string, which is applied to the pcap handle when capturing
packets. This is managed in the codebase through the PcapOptions struct,
which contains a BPFFilter field for holding the user-provided BPF filter
string.
It's important to note that GoReplay does not explicitly differentiate
between inbound and outbound traffic when applying the BPF filter. The
directionality must be specified as part of the BPF expression itself, as
seen in the first command. The SetBPFFilter function applies the compiled
BPF filter to the socket, filtering packets based on the specified criteria
without considering the direction of the traffic.
This explanation should help you understand how GoReplay captures packets
and the impact of specifying a BPF filter on the traffic that is captured.
If you have further questions or need more information, feel free to ask.
Sources
- docs/Capturing-and-replaying-traffic.md
<https://github.com/buger/goreplay/blob/master/docs/Capturing-and-replaying-traffic.md>
- input_raw_test.go
<https://github.com/buger/goreplay/blob/master/input_raw_test.go>
- internal/capture/capture.go
<https://github.com/buger/goreplay/blob/master/internal/capture/capture.go>
- internal/capture/sock_linux.go
<https://github.com/buger/goreplay/blob/master/internal/capture/sock_linux.go>
About Dosu
This response is meant to be useful and save you time. It is *not meant
to be a precise solution*, but rather a starting point for your own
research.
Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it
is irrelevant.
If you want to continue the conversation, start your reply with @dosu-bot
<https://github.com/dosu-bot>.
—
Reply to this email directly, view it on GitHub
<#1246 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAADNOKKKADZS2QWLRD5XS3Y3ENOVAVCNFSM6AAAAABFOERDE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRZGQZDIMZUGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Sincerely yours, Leonid Bugaev
https://goreplay.org - test your system with real data
@buger <https://twitter.com/buger> - me on twitter
|
The difference between the two GoReplay commands you've inquired about essentially boils down to how they filter the network traffic they capture, particularly in terms of specifying which packets to listen to.
The key difference lies in the use of the Without a BPF filter, GoReplay captures a broader range of packets, which might include traffic not relevant to your monitoring or analysis goals. This can lead to capturing more data than necessary, potentially increasing the overhead and making it harder to focus on the traffic of interest. In summary, the use of a BPF filter with GoReplay provides a powerful mechanism to precisely define the scope of traffic capture, enabling more targeted monitoring and analysis of network traffic.
|
Its quite contradictory when tested with and without bpf filter let me know if i am missing anything here when tried below command: output it given: Here, its not listening requests from load balancer but ideally as per goreplay reference it should listen to whole traffic when tried below command: Output it given: Here, we have used explicit filter, here its working as expected when received traffic from load balancer |
any corrections or confirmations here? |
Yes I this it is correct. They key part here is probably this line which makes the difference Can you run the following command: |
Hello all,
our application architecture on production:
client --> varnish cache (port: 8983) --> tomcat backend (port: 8984)
Using GoReplay, we are trying to redirect requests that reach our varnish that listens on 8983 port to another server.
Before redirecting, we have tried testing whether its correctly listening or not
Command used to listen:
sudo ./gor --input-raw :8983 --output-stdout
ISSUE:
However, we found that goreplay is not capturing actual user traffic from port 8983
But it's listening successfully when a request is fired explicitly from a browser or with curl.
Can someone pls help us know why its not capturing user traffic from 8983 port?
The text was updated successfully, but these errors were encountered: