flotapr2

Analyze traffic from anywhere in the openflow network

www.wookieware.com

Success from failureIt started with an SDN application called flotapr. It’s premise was that it could find all the conversations a target host was having and let you pick which conversation you wanted to tap into. The limiting factor was the analyzer “always” had to be on the same dpid as the source IP. I have no idea how this application ever gave the appearance of working but somehow it looked like it did.

Flotapr2 was born out of flotapr’s failure. Now with flotapr2 you can pick any source, destination and analyzer port in the openflow network and all the flows will automatically be setup. There are many different types. Source flow, Destination flow, Analyzer flow and the most important flow…the convergent. This is where the path from the source to the analyzer and destination to the analyzer converge. At this point a bifurcated flow is created and the flows pushed to the dpids along the path to the analyzer are configured as one way only.

Typical network capture

Target Host

All traffic from and to host

Mirror traffic to remote port

Analyzer

All traffic in and out of a specific port can be mirrored to another port.

OpenFlow network capture

Source Host

Traffic from src to dst & traffic from dst to src

Mirror traffic to analyzer

Destination Host

Traffic from src to dst & traffic from dst to src

Analyzer

One way traffic

Flows {“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},

{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:1}]}}

{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.10”},{“ipv4_src”:”10.132.0.20”}],”actions”:[{“output”:4}]}}

{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:1},{“output”:6}]}}

{“flow”:{“priority”:30000,”ide_timeout”:60000,”match”:[{“eth_type”:”ipv4”},{“ipv4_dst”:”10.132.0.20”},{“ipv4_src”:”10.132.0.10”}],”actions”:[{“output”:4},{“output”:6}]}}

flotapr2 verifies openflow 1.0. or 1.3 capabilities. In the event of 1.3 a table variable is supplied at the login screen and is passed to the flows along with a modified instructions set.

Standard flow

Bifurcated flow –Forks traffic to analyzer port or direction (Port 6)

Main Screen

Enter credentials, The Source IP address and the Analyzer IP address

Select Destination IP address

Flow Table

Source and Analyzer on same dpid

There are only four possible scenarios for deployment

Source IP

Destination IP

Analyzer IP

Analyzer on Core Switch (Common Path)

Analyzer anywhere in the openflow network

Destination and Analyzer on same dpid

All in One

Source IP

Destination IP

Analyzer IP

Hard setting the flows

S

D

A

Convergent dpid

Getting flotapr2

flotapr2 is available in a docker image.

From a docker server: sudo docker pull xod442/flotapr2_v2

Once downloaded from dockerhub.com, start it up with :

sudo docker run -d -p 80:80 xod442/flotapr2_v2 /usr/sbin/apache2ctl -D FOREGROUND

Point a web browser at the ip address or FQDN of the docker server.

That’s it!!!