decapsulating unicast VXLAN packets to a VXLAN interface

Dan Ecott

I am trying to evaluate a new virtualized traffic mirroring service (similar to SPAN) that delivers VXLAN encapsulated packets to a destination of my choice using the traditional VXLAN UDP unicast encapsulation methods. My goal is to have these packets sent to a linux instance with two interfaces, with the second interface dedicated for receiving these traffic feeds.

Once I have my instance with two logical interfaces I then want to receive these packets into a clean VXLAN virtual interface so that I can run security tools (e.g. Suricata, BRO) on just the packets with the VXLAN wrapper stripped off. In the past I have managed to achieve that (in a multicast environment) by running the following two simple commands.

sudo ip link add vxlan0 type vxlan id 0 dev ens6 dstport 4789 group
sudo ip link set vxlan0 up

In the multicast environment, these two commands on my dual interface linux machine were enough to have a clean stream of decapsulated packets hitting virtual interface vxlan0. That means, if I run

sudo tcpdump -nvi vxlan0 

I see packets after the VXLAN headers have been removed, which leaves only the original packet. And now my security tools just monitor this interface and I don't have to worry about filtering out the VXLAN packets.

Moving to the unicast environment, I would expect the same commands minus the multicast group to yield the same result, but it doesn't seem to be the case. Here is what I am trying.

sudo ip link add vxlan0 type vxlan id 0 dev ens6 dstport 4789
sudo ip link set vxlan0 up

When I try and run tcpdump on the vxlan0 interface in this case, I don't see what I expect, which is the decapsulated packets with no VXLAN headers.

Things I have tried:

  1. Put the secondary interface in promiscuous mode
  2. Don't put the secondary interface in promiscuous mode
  3. IP the secondary interface
  4. Don't IP the secondary interface
  5. Turn off and on Multicast on the secondary interface

Can anyone point me in the right direction here?


I have done what you describe. In my case, I am using Suricata to monitor a VXLAN interface in pcap mode. The networking environment only supports unicast. Here is how I configure the VXLAN interface.

auto vxlan-tap
    iface $IFACE inet manual
    pre-up ip link add $IFACE type vxlan id 1000 dev eth0 local dstport 4789
    up ip link set $IFACE up
    up ip link set $IFACE promisc on
    down ip link set $IFACE promisc off
    down ip link set $IFACE down
    post-down ip link del $IFACE

I don't see anything obviously wrong with your configuration but here are a few things you should check.

  1. Are you seeing VXLAN traffic on your logical interface (e.g. tcpdump udp -i ens6 port 4789)? If not, try dumping all UDP traffic to verify the source is not sending it to you on a different port.
  2. Does the VNI of the received VXLAN encapped traffic match the id you have configured on your VXLAN interface?
  3. Do you have any iptables filters dropping the UDP traffic on port 4789?

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at


Login to comment