推荐阅读:
1、EVE-NG 2TB全网最新最全镜像下载地址(保持更新):
https://www.emulatedlab.com/thread-939-1-1.html2、EVE-NG 2025全网最新最全资源大全(保持更新):
https://www.emulatedlab.com/thread-2262-1-1.html3、EVE-NG 国代答疑频道(免费公开访问):
https://pd.qq.com/s/8d1hglslz1 纯BPF过滤表达式分析思科PVST/PVST+/Rapid-PVST+常见网络故障
1.1一、思科PVST/PVST+/Rapid-PVST+帧结构参考
1.1.1关键特征:
- 目的MAC地址:
01-00-0C-CC-CC-CD(Cisco PVST组播地址) - 协议标识符:Cisco私有协议,通常使用SNAP封装
- VLAN标签:PVST+为每个VLAN发送单独的BPDU,带802.1Q标签
1.1.2PVST+帧结构(BPF偏移计算):
0-5: 目的MAC (01:00:0C:CC:CC:CD) 6-11: 源MAC 12-13: Ethertype (0x8100 - 802.1Q标签) 14-15: VLAN标签 (TCI: 优先级+CFI+VLAN ID) 16-17: 内部协议类型 (0x010B - Cisco PVST) 18-...: PVST+ BPDU数据1.1.3Rapid-PVST+ BPDU结构:
PVST+头部(14字节以太网 + 4字节802.1Q + 2字节协议类型) 从字节20开始:标准RSTP BPDU结构1.2二、基础PVST/PVST+/Rapid-PVST+捕获表达式
# 1. 捕获所有思科生成树协议流量 ether dst 01:00:0C:CC:CC:CD # 2. 捕获所有带Cisco PVST标记的流量 ether[12:2] == 0x8100 and ether[16:2] == 0x010B # 3. 组合捕获:所有PVST/PVST+/Rapid-PVST+ ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B # 4. 捕获特定VLAN的PVST流量 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and (ether[14:2] & 0x0fff) == VLAN_ID # 5. 捕获非802.1Q封装的PVST(罕见,但可能存在) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x010B1.3三、PVST(原始PVST)分析
1.3.1PVST BPDU结构(偏移从以太网头部开始):
14: 协议版本 (STP=0x00, PVST可能有变种) 15: BPDU类型 (配置=0x00, TCN=0x80) 16: 标志位 17-24: 根桥ID 25-28: 根路径开销 29-36: 桥ID 37-38: 端口ID 39-...: 标准STP计时器# 1. 捕获PVST配置BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x00 # 2. 捕获PVST TCN BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x80 # 3. 检查PVST标志位(字节20) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[21] & 0x01) == 0x01 # TC标志 # 4. 检查PVST根桥ID(字节17-24) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[17:8] == 预期根桥ID1.4四、PVST+(增强PVST)分析
1.4.1PVST+与PVST的区别:
- 使用802.1Q标签
- 支持VLAN 1-4094
- 每个VLAN独立BPDU
# 1. 捕获特定VLAN的PVST+ BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 0x0001 # VLAN 1 # 2. 捕获Native VLAN(VLAN 1)的PVST+ ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 0x0001 # 3. 捕获用户VLAN的PVST+ ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) > 0x0001 # 4. 检查VLAN标签中的优先级(前3位) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0xe000) != 0x00001.5五、Rapid-PVST+(快速PVST+)分析
1.5.1Rapid-PVST+关键特征:
- 使用RSTP协议(802.1w)
- 版本号:0x02
- BPDU类型:0x02
# 1. 捕获Rapid-PVST+ BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 # 2. 捕获Rapid-PVST+特定VLAN ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[14:2] & 0x0fff) == VLAN_ID # 3. 检查Rapid-PVST+标志位(字节21) # 端口角色:位2-3 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x0C) == 0x08 # 根端口 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x0C) == 0x0C # 指定端口 # 4. 检查Rapid-PVST+端口状态(位4-5) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x30) == 0x00 # 阻塞 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x30) == 0x30 # 转发1.6六、协议版本区分
# 1. 区分PVST(STP版本0x00) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x00 # 2. 区分Rapid-PVST+(RSTP版本0x02) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 # 3. 捕获TCN BPDU(类型0x80) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x80 # 4. 捕获配置BPDU(类型0x00) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x001.7七、VLAN相关故障分析
1.7.1故障1: VLAN不一致
# 捕获VLAN ID超出有效范围(1-4094) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 0x0000 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) > 0x0fff # 捕获Native VLAN不匹配(两端不同) # 需要比较两个方向的流量,BPF难以直接实现 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 0x00011.7.2故障2: VLAN修剪问题
# 捕获未配置VLAN的PVST+ BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 未配置VLAN_ID # 捕获VLAN列表中的缺失VLAN(需要持续监控) # 以下捕获特定VLAN范围,检查是否存在 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) >= 0x0002 and (ether[14:2] & 0x0fff) <= 0x000a1.7.3故障3: VLAN跳数问题
# 检查VLAN内的根桥一致性(通过根桥ID) # 需要比较同一VLAN内不同BPDU的根桥ID ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == VLAN_ID | \ 比较根桥ID字段1.8八、根桥选举故障
1.8.1PVST+根桥ID结构:
字节17-18: 优先级(2字节) 字节19-24: MAC地址(6字节)# 1. 捕获特定根桥优先级 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[17:2] == 0x8000 # 默认32768 # 2. 捕获根桥优先级为0(可能配置错误) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[17:2] == 0x0000 # 3. 捕获根桥MAC地址 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[19:6] == 预期MAC # 4. 检测多个VLAN有不同根桥(PVST+特性,正常) # 但可检查特定VLAN的根桥ID是否一致 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == VLAN_ID1.9九、计时器问题
1.9.1PVST+计时器字段(偏移从字节39开始):
39-40: 消息年龄 41-42: 最大年龄 43-44: Hello时间 45-46: 转发延迟# 1. 检查Hello时间(默认2秒) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[43:2] != 0x0002 # 2. 检查Hello时间为0 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[43:2] == 0x0000 # 3. 检查消息年龄超过最大年龄 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[39:2] > ether[41:2] # 4. 检查转发延迟(默认15秒) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[45:2] != 0x000f # 5. 检查最大年龄(默认20秒) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[41:2] != 0x00141.10十、端口状态和角色故障
1.10.1PVST+端口ID字段(字节37-38):
高4位:端口优先级 低12位:端口号# 1. 检查端口ID有效性 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[37:2] & 0x0fff) == 0x0000 # 2. 检查端口优先级(默认128) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[37:2] & 0xf000) == 0x8000 # 3. Rapid-PVST+端口角色检查(字节21的位2-3) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x0C) == 0x00 # 未知角色 # 4. Rapid-PVST+端口状态检查(字节21的位4-5) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[21] & 0x30) == 0x20 # 异常:转发但未学习1.11十一、拓扑变更相关故障
# 1. 捕获TCN BPDU ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x80 # 2. 捕获TC标志设置(位0) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[21] & 0x01) == 0x01 # 3. 捕获TCA标志(拓扑变更确认,位7) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[21] & 0x80) == 0x80 # 4. 捕获频繁的拓扑变更(需要时间分析) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[21] & 0x01) == 0x01 | \ 按时间频率分析1.12十二、与其他协议的互操作问题
1.12.1PVST+与标准STP/RSTP互操作:
# 1. 检测混合环境(PVST+和标准STP同时存在) ether dst 01:00:0C:CC:CC:CD or ether dst 01:80:c2:00:00:00 # 2. 检测PVST+与802.1D STP互操作问题 ether dst 01:80:c2:00:00:00 and ether[19] == 0x00 and \ ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B # 3. 检测PVST+与802.1w RSTP互操作问题 ether dst 01:80:c2:00:00:00 and ether[19] == 0x02 and \ ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x021.12.2PVST+与MSTP互操作:
# 检测PVST+与MSTP混合环境 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B or \ ether dst 01:80:c2:00:00:00 and ether[19] == 0x031.13十三、思科特有扩展检查
1.13.1BPDU过滤和防护:
# 1. 检测BPDU Guard应阻止的BPDU(来自主机端口) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and \ not ether[6:3] = 思科交换机OUI(如00:00:0C, 00:01:42等) # 2. 检测Root Guard应阻止的更优BPDU # 需要比较根桥优先级,BPF难以直接实现 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[17:2] < 当前根桥优先级1.13.2PortFast和BPDU Filter:
# 检测PortFast端口是否发送BPDU(不应发送) ether src 主机端口MAC and ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B # 检测BPDU Filter是否生效(端口不应接收/发送BPDU) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and \ ether[6:6] = 启用了BPDU Filter的端口MAC1.14十四、组合故障诊断表达式
1.14.1综合PVST+健康检查:
ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ( # 协议版本错误 ether[20] != 0x00 and ether[20] != 0x02 and ether[20] != 0x80 or # VLAN ID无效 (ether[14:2] & 0x0fff) == 0x0000 or (ether[14:2] & 0x0fff) > 0x0fff or # 计时器异常 ether[43:2] == 0x0000 or # Hello时间为0 ether[39:2] > ether[41:2] or # 消息年龄超时 ether[45:2] == 0x0000 or # 转发延迟为0 # 根桥ID异常 ether[17:8] == 0x0000000000000000 or ether[17:2] == 0x0000 or # 优先级为0 # 端口ID异常 (ether[37:2] & 0x0fff) == 0x0000 or # Rapid-PVST+特定检查 (ether[20] == 0x02 and ( (ether[21] & 0x0C) == 0x00 or # 未知端口角色 (ether[21] & 0x30) == 0x20 # 异常状态 )) )1.14.2严重故障过滤器:
# 可能导致环路的严重故障 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ( # BPDU过期但端口仍在转发 ether[39:2] >= ether[41:2] and ether[20] == 0x02 and (ether[21] & 0x20) == 0x20 or # 多个VLAN有不同的根桥但配置要求相同(需要具体配置信息) # 这里检查根桥ID与桥ID相同但非根桥 ether[17:8] == ether[29:8] and ether[25:4] != 0x00000000 or # Native VLAN不匹配(VLAN 1但另一端不是) (ether[14:2] & 0x0fff) == 0x0001 and 需要检查对端 )1.14.3VLAN相关故障:
# VLAN配置问题 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ( # VLAN ID在允许范围外 (ether[14:2] & 0x0fff) < 0x0001 or (ether[14:2] & 0x0fff) > 0x0ffe or # 特定VLAN缺失(假设VLAN 10应存在) not (ether[14:2] & 0x0fff) == 0x000a and 时间段内应有BPDU or # VLAN优先级异常(非0) (ether[14:2] & 0xe000) != 0x0000 )1.14.4性能问题过滤器:
# 可能影响网络性能的问题 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ( # 过多的VLAN导致BPDU泛滥 # 通过统计不同VLAN ID的数量来检测,BPF无法直接实现 # 频繁的拓扑变更 (ether[21] & 0x01) == 0x01 and ether[39:2] < 0x0002 or # Hello时间过长 ether[43:2] > 0x0004 or # Rapid-PVST+端口状态频繁变化 ether[20] == 0x02 and ether[39:2] < 0x0003 # 新BPDU )1.15十五、特定VLAN根桥一致性检查
# 检查特定VLAN(如VLAN 10)的所有BPDU根桥ID是否一致 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[14:2] & 0x0fff) == 0x000a | \ 比较ether[17:8]字段的一致性 # 检查不同VLAN是否有相同根桥(正常PVST+特性,但可验证) ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B | \ 按VLAN分组比较根桥ID1.16十六、BPF表达式优化
# 1. 预编译PVST+过滤器 # 基本PVST+捕获 ether[0:6] = 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B # 2. 特定VLAN的Rapid-PVST+ ether[0:6] = 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and ether[20] == 0x02 and (ether[14:2] & 0x0fff) == VLAN_ID # 3. 使用掩码同时检查多个条件 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[21] & 0x81) != 0x00 # TC或TCA标志设置 # 4. 排除非PVST+流量 ether dst 01:00:0C:CC:CC:CD and not (ether[12:2] == 0x8100 and ether[16:2] == 0x010B) # 5. 组合检查计时器 ether dst 01:00:0C:CC:CC:CD and ether[12:2] == 0x8100 and ether[16:2] == 0x010B and (ether[43:2] == 0x0000 or ether[45:2] == 0x0000)1.17十七、常见故障场景与BPF表达式
| 故障现象 | BPF表达式 | 可能原因 |
|---|---|---|
| VLAN间环路 | 检查不同VLAN根桥ID一致性 | PVST+配置错误 |
| 收敛缓慢 | ether[43:2]>0x0004 | Hello时间过长 |
| 端口无法转发 | ether[20]==0x02 and (ether[21]&0x30)==0x00 | Rapid-PVST+端口阻塞 |
| BPDU丢失 | 监控特定VLAN BPDU间隔 | VLAN修剪或过滤 |
| Native VLAN不匹配 | 比较两端VLAN 1的BPDU | 配置不一致 |
| 根桥震荡 | 监控根桥ID变化频率 | 链路不稳定或配置 |
1.18十八、注意事项
- 思科设备特定:PVST/PVST+/Rapid-PVST+是Cisco私有协议
- VLAN标签:PVST+ BPDU通常带802.1Q标签,VLAN 1可能例外
- 目的MAC:固定为
01:00:0C:CC:CC:CD - 协议类型:
0x010B(Cisco PVST) - 兼容性:与标准STP/RSTP/MSTP不直接兼容
- 性能影响:每个VLAN独立BPDU可能产生大量流量
1.19总结
纯BPF表达式分析思科PVST/PVST+/Rapid-PVST+故障的关键点:
- 识别协议:目的MAC=
01:00:0C:CC:CC:CD,协议类型=0x010B,802.1Q标签 - 区分版本:PVST(0x00)、Rapid-PVST+(0x02)、TCN(0x80)
- VLAN分析:每个VLAN独立BPDU,检查VLAN标签和一致性
- 根桥检查:每个VLAN可能有不同根桥,验证配置意图
- 计时器验证:Hello、MaxAge、Forward Delay
思科PVST+系列协议的主要优势是每个VLAN独立的生成树,但这也增加了故障排查的复杂性。这些BPF表达式可以帮助快速识别协议问题、VLAN配置错误和收敛问题。对于复杂故障,建议结合Cisco IOS命令如show spanning-tree vlan、debug spanning-tree等进行综合分析。
