In the previous parts we saw the basics thanks to a single node sandbox. In this part we will use a multi-nodes deployment and we will see how Skydive can analyze an encapsulated traffic. There are different handy ways to deploy a multi-node environment with Skydive, here we will use the `Vagrantfile` which comes with the Skydive repository.
One Vagrantfile, three nodes
First be sure that you have enough memory, the deployment requires a bit less than 5G of memory. As said in the introduction, the `Vagrantfile` comes with the sources of Skydive, so we just need to clone the project. Go to the `contrib` folder and start vagrant.
3 hosts were deployed : 1 analyzer and 2 agents. The analyzer WebUI is available at
With the topology expanded, we will get something like this :
Vagrantfile did is simple. It deployed the Skydive binary on every host, using the default config file which can be found
here. The config is stored in
For the agents, only the
analyzers list is set to specify the analyzer address.
The analyzer configuration is a bit more complex. Elasticsearch is specified as backend for the flows :
and the topology :
The way the agents are connected together is also described in the config file. We are not going to detail here the syntax but basically it creates a
TOR1 node and two port nodes
TOR1_PORT2 connected to the
eth1 interface of the host agents.
Packet journey within a tunnel
Now we have a properly working multi-node deployment, we can create a topology with tunnels. For that purpose we use Open vSwitch with GRE tunnels. The following command lines executed on the agent1 will create a network namespace connected to a bridge and will add a GRE interface :
Same thing on the second agent host with the following command lines :
Once executed, Skydive should have detected the two network namespaces with all the links and should look like this.
Now we can create 3 captures, one on a the
eth1 interface of an agent host, and one other on each Open vSwitch bridge.
Once the captures are created, we can use the packet injector to generate pings between the two network namespaces.
By selecting the
eth1 interface, we can check the flows and see that we have our
ICMP packets and a
GRE flow. We see that Skydive is analyzing inner packets and thanks to that we can confirm that a packet has been seen even within a tunnel. We can verify the relation between the inner packet and the outer packet by checking the field
ParentUUID of the inner packet. This field references the
UUID of the flow of the tunnel.
Skydive currently supports tunneling protocol like GRE, VXLAN, GENEVE, MPLS/GRE, MPLS/UDP and supports multiple levels of encapsulation.