TCPDump - Strange VRRP Packets?

  • Hi

    I'm running two pfSense clusters, both having different VIPs. Everything "seems" to run OK, but because of some network issues I've been running tcpdump on different machines, and found VRRP packets that look really strange to me:

    On the cluster that package comes from, there are two VIPs with IDs "2" and "3", assigned to private IP addresses 10.x.x.x.
    But that VRRP package sais:

    • that the current master has stopped participating in VRRP (why?)
    • Strange IP Addresses (public ones?)

    Any idea what is wrong here?

  • Great, shame on me. Maybe that helps somebody else:
    Wireshark seems not to understand CARP correctly, as it thinks it's 100% the same as VRRP, which it obviously is not.

    Well,…now that I know that the information from Wireshark is "crap", is there any known way to capture CARP so that Wireshark feels fit to understand the capture?

  • Actually Wireshark undersands CARP just fine, the problem stems from the fact that both VRRP and CARP use IP Protocol number 112.
    That means you have to TELL Wireshark, tcpdump, etc, that you want to decode IP Protocol as CARP, not VRRP.

    In wireshark, select the packet, right click and select Decode As…  Then choose CARP in the list.

    If you are using tcpdump from command line pfSense, add -T carp flag.

Log in to reply