How to parse OpenFlow packets using tcpdump capture file programmatically
The command line alternative to WireShark is tshark (similar in function to tcpdump).
This blog had enough to get me started.
A sample tshark capture command goes as follows (say you want to monitor the interface eth0):
sudo tshark -i eth0
We can add capture filters along with the command as well:
sudo tshark -i eth0 "port 6633"
This command will capture all traffic to or from port 6633 (the default port of OpenFlow controllers)
Simply capturing the traffic is not enough. To analyze the capture via a program, we need to first convert the capture into an easily understandable format. Enter XML.
sudo tshark -i eth0 -T pdml > dump.xml
This outputs the capture file as an xml file with all the packets along with their various attributes as tags.
This can be subsequently parsed using any standard xml parser.
A couple extra things I tweaked: I scrapped the "port 6633". And added a -n option (addresses are not resolved). The additional packets which are captured as a result may always be filtered out by the xml parser. Since my application gave a slight importance to the timestamps of various packets, I did not want to cause additional delays due to filtering/resolving. Note that I may be terribly wrong in my reasoning here (it was just a hunch). Each packet has a timestamp added to it by the network adapter when the device receives the same. It is therefore more than likely that using such tricks wouldn't affect the time stamp at all.
My final command was therefore:
sudo tshark -n -i eth0 -T pdml > dump.xml
ADDITIONAL NOTE: If you are habituated to use WireShark to debug OpenFlow packets, you probably use the display filter: "of". This however is not a valid capture filter which is required by tshark (capture filters are similar to those used in tcpdump)
PS: Drop me a line if you need the xml parser (I used python)
Try reviewing the output of:
sudo tshark -O openflow_v4 -i eth0 port <openflow port>
You can review the protocols available with this command:
~] tshark -G protocols | grep openflow
OpenFlow openflow openflow
OpenFlow 1.0 openflow_v1 openflow_v1
OpenFlow 1.3 openflow_v4 openflow_v4
OpenFlow 1.4 openflow_v5 openflow_v5