Capture data on open-source router interfaces in GNS3

October 17, 2015 — Leave a comment

In this post, I will show how to set up data capture in the GNS3 network simulator when using network devices that are emulated by VirtualBox or QEMU virtual machines.

The GNS3 network simulator makes it easy for users to capture and view data passing across the interfaces of devices running in a GNS3 network simulation. The GNS3 documentation covers how to capture data from devices running on Dynamips in GNS3 but the procedures for capturing data from devices running in other hypervisors, such as VirtualBox or QEMU/KVM, are not well documented.

cap-cover-shot-2b

While GNS3 users may start and stop data capture on Dynamips VM interfaces any time they wish, they must plan ahead when they intend to capture data on open-source routers and hosts running on VirtualBox or QEMU virtual machines.

Data capture in GNS3

Depending on the virtualization technology running the device in GNS3, data capture will — or will not — work in different ways. In the sections below we discuss the different ways data capture works for interfaces on VirtualBox VMs, QEMU VMs, or GNS3 devices like the Hub device.

Data capture on GNS3 devices

GNS3 devices, like the Hub device, or like Cisco router images running on Dynamips, have no restrictions on the way data capture works. Data capture may be enabled or disabled on GNS3 device interfaces at any time while the device is running in GNS3.

Data capture with QEMU VMs

It is not possible to capture data on QEMU virtual machine interfaces. Users may work around this limitation by placing a GNS3 Hub device in-line in the link connected to the virtual Machine’s interface from which they want to capture data. Then they start data capture on the Hub node’s interface connected to the VM interface from which they wish to capture data.

Data capture with VirtualBox VMs

Users may capture data on VirtualBox VMs’ interfaces. However, the data capture must be started before the virtual machine is started. If a user wants to capture data on the interfaces belonging to a VirtualBox VM that is already running, she must stop the VM, then start data capture on one or more of its interfaces, and re-start the VM.

While not necessary to enable data capture on VirtualBox VM interfaces, it may be more convenient to use GNS3 devices like the Hub device in-line in the link connected to the virtual machine’s interface, as described in the QEMU case above.

Recommendations

Personally, I prefer to use VirtualBox VMs instead of QEMU VMs when simulating networks of open-source routers in GNS3. So I am able plan ahead and start data capture on VirtualBox VM interfaces where I need them.

I like to keep my GNS3 network diagram clean so I do not add GNS3 hub devices in-line with every link to enable ad-hoc data capture. Also, adding additional GNS3 devices use more system resources so I avoid using them if I can capture data without them.

However, I can anticipate cases where I may use in-line GNS3 Hub devices to enable ad-hoc data capture. If I were to create a simulation scenario that would generate a large volume of data traffic across an interface from which I knew I would want to capture data, I might use a Hub device on that link so I could capture data only when I needed to, by starting and stopping data capture on the Hub interface, and avoid creating large files that use up memory while the simulation is running.

GNS3 data capture tutorial

We will work through some examples of capturing and analyzing data generated in GNS3 simulation scenarios. This example should be useful to users of all virtual machine technologies supported in GNS3.

GNS3 Packet Capture Preferences

GNS3 integrates with the Wireshark packet capture and analysis tool. Open the GNS3 Packet Capture Preferences window and configure the way you would like Wireshark to work. The default settings work well so you can skip this step if you want.

If you wish to modify the preferences, you will have the following options to configure:

GNS3 default data capture preferences

GNS3 default data capture preferences

The Preconfigured packet capture reader commands menu allows you to set the type of Wireshark packet capture display: Traditional or Live.

Traditional packet capture will write captured packets to a file and displays them in Wireshark only when the user presses the “refresh” button in Wireshark. This is the default setting.

Live packet capture also writes captured packets to a file and it displays each packet in Wireshark at the same time it is captured. Choose this option if you want to watch the captured packets flow by in real time. But if the data rate is high, it is not so useful to look at live data.

The Packet capture reader command is set automatically when you choose the type of Wireshark packet capture so do not modify it unless you wish to override the pre-configured commands.

The Automatically start packet capture application check box determines whether Wireshark starts automatically when you start packet capture on a link, or if you must start Wireshark as a second step. I prefer to clear this check box so I start Wireshark as a second step. I like to set multiple data capture points in a simulation scenario but don’t want a too many windows opening automatically.

The Packet capture analyzer command field may be left blank.

See the figure below to see the settings I recommend for Packet Capture Preferences:

Recommended packet capture preference settings

Recommended packet capture preference settings

How to start data capture

We start data capture in the GNS3 GUI using one of these methods:

  • Right-click on a link in the GNS3 network diagram, select Data Capture; or
  • Right-click on a device in the GNS3 network diagram, select Data Capture; or
  • Right-click on an interface in the GNS3 Topology Summary panel, select Data Capture, or
  • Right-click on a node in the GNS3 Topology Summary panel, select Data Capture
Start data capture by right-clicking the link in either the network view or the Topology Summary dock

Start data capture by right-clicking the link in either the network view or the Topology Summary dock

After starting data capture on a link or a node, you will see a dialogue boxing in which you must choose one of the interfaces on the link or node. Choose one of them. In this example, we have an interface connected to a GNS3 Switch device and an interface connected to a Router, which is emulated by a VirtualBox virtual machine.

In this case, we choose the interface on the GNS3 Switch device, as seen below:

select an interface at one end of the link

select an interface at one end of the link

In the Topology Summary dock, you will see a looking-glass icon next to devices that have data capture started.

See the "looking glass" icon under SW1 in the Topology Summary dock

See the “looking glass” icon under SW1 in the Topology Summary dock

Data Capture Files

When you start data capture on an interface in GNS3, packets are captured and written to a file in the GNS3 project’s folder. Wireshark does not need to be started. Packets are already being captured. Wireshark just reads packets from the data capture file.

For example, in this tutorial, a packet capture started on the GNS3 Switch device’s port 1 would be saved to a file like: ~/GNS3//projects/Project-01/project-files/captures/SW1_1_to_Router-3_Ethernet0.pcap.

You can start data captures on multiple interfaces in your simulation scenario and then, when the time is right, you can start Wireshark and analyze packets that have been captured. I set GNS3 preferences (see above) so that Wireshark does not automatically start when I start data capture on an interface.

VirtualBox VM interfaces

Remember that GNS3 cannot start a data capture on a VirtualBox VM interface is the VM is running. If you try to start data capture when the VM is running, nothing will happen. You will not see any alert pop up but, if you are monitoring the GNS3 console, you will see the error message appear there.

To start data capture, first stop the VirtualBox VM. Right-click on the device — for example, the Router-3 device — and select Stop from the menu that appears.

Then start data capture on one or more of the VM’s interfaces. Right-click on the device again, and choose Capture from the menu. Select the interface.

Stop the VirtualBox VM, start capture on an interface, then start it again

Stop the VirtualBox VM, start capture on an interface, then start it again

To restart the device, right-click on it and select Start from the menu that appears.

As an alternative to the above procedure, you could add a GNS3 Hub device in-line with the link connected to the interface from which you want to capture data. See the section below about QEMU VM interfaces to learn how to do that.

QEMU VM interfaces

Since data capture cannot be started on QEMU virtual machines’ interfaces we have to capture data on another device’s interface that is connected to the QEMU VM’s interface.

We don’t have any QEMU machines created in this example but this procedure will work for any VM type.

Imagine we want to capture data from Router-3’s eth6 interface and imagine Router-3 is a QEMU VM (or is a VirtualBox VM that we do not want to stop) so we cannot start capture on the VM’s eth6 interface.

Now, look at the network diagram and find the link that connects to Router-3’s eth6 interface. Look at the device on the other end of the link. If it is a GNS3 device like a Hub or a Cisco router then we can start data capture on that device’s interface that is connected to the same link as Router-3’s eth6 interface. Traffic on that link is passing between both devices so we may capture data on an interface at the other end of the link and still see the packets we need to analyze.

But, in this example, the device on the other end of the link, Router-2, is another VM (and we again imagine that we do not want to stop that VM or that it is a QEMU VM). So we need to add a new device into the Router-2 to Router-3 link from which we can capture data.

First, delete the link between Router-2 and Router 3. Then drag a Hub device onto the network map and place it between Router-2 and Router-3. Then, add a new link to connect Router-2’s interface eth6 to the Hub device, and another link to connect Router-3’s eth6 interface to the Hub device.

See data capture is started

To capture data passing through Router-2 interface eth6, start data capture on HUB interface 2

Now you have a hub device in-line on a link between Router-2 and Router-3 and you are capturing data on one of the hub interfaces, at which point all data passing between Router-2 and Router-3 is also captured.

You may start Wireshark on the data capture point to view packets traversing the link.

Managing data capture points

In a complex network simulation scenario, you may want to capture data at many points in the network. GNS3 will help you keep track of the interfaces that have data capture started.

We will call a interface on which data capture has been started a data capture point. Data capture points are identified in the GNS3 Topology Summary panel by a small looking-glass icon next to an interface.

Data capture point indicated by looking-glass icon

Data capture point indicated by looking-glass icon

If you have a large network with many nodes, you can filter out the nodes that do not have data capture points so you can quickly find the interface from which you wish to monitor captured data.

Right-click anywhere in the Topology Summary panel and select Show devices with capture(s) from the menu. Then only nodes with data capture points will appear in the summary.

Filtering data capture points in the Topology Summary panel

Filtering data capture points in the Topology Summary panel

To view all nodes again in the Topology Summary panel, right-click anywhere in the panel and select Show all devices from the menu.

Use Wireshark to view data

To view captured data, right-click on an interface that already has data capture started and select Start Wireshark from the menu. You may right-click on the link in the netowkr map or in the Topology Summary panel.

View packets being captured on the interface by starting Wireshark

View packets being captured on the interface by starting Wireshark

Wireshark will start and will display the data captured on the interface. In our example, since we are not running any user data across the link, we should only see protocol packets such as OSPF Hello messages.

Capture of data passing between Router-2 and Router-3

Use Wireshark to view the captured data

The data capture is running even if it is not being viewed in Wireshark so you can look at all packets received since you started capturing data, even if you waited until later to view the captured packets using Wireshark.

Using multiple Wireshark windows

You may run multiple Wireshark windows at the same time if you wish to view data capture at different point simultaneously. However, if you are using the Live packet capture preference, as I usually do, you will need to manually keep track of which Wireshark window is showing data from which data capture point because no information identifying the data capture point is shown on the Wireshark window’s title bar.

One advantage of setting Wireshark to use Traditional packet capture is that the file name from which the Wireshark window is reading captured packets appears in the window’s title bar. So, when using Traditional packet capture, it is easier to determine which Wireshark window is capturing data on which interface.

See the example below, where I changed the GNS3 Packet Capture preferences to “Traditional packet capture*. See the filename in the window’s title bar.

Traditional packet capture reads from a file whose file name indicates the source of the captured data

Traditional packet capture reads from a file whose file name indicates the source of the captured data

Conclusion

We showed how to set up data capture on open-source routers in the GNS3 network simulator. We saw that we need to plan ahead when building a network simulation scenarios to ensure we set up the data capture points we need before starting the virtual machines in the simulation.

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*