5/18/2017 SecurityUnplugged!!!:ovsofctlcommandsonOpenFlow1.

3Mininetswitch(ovsk)

1 More NextBlog

SecurityUnplugged!!!
BitofEverything!VulnerabilityResearch,ReverseEngineering,MalwareAnalysis,Exploitsetc...

PraveenDarshanam
Follow 151

Viewmycompleteprofile

Thursday,January23,2014 NVDCVE/CCESearc
SearchforVulnerabilities
ovsofctlcommandsonOpenFlow1.3Mininetswitch(ovsk) Entervendor,software,orkeyword

ovsofctlprogramisacommandlinetoolformonitoringandadministeringOpenFlowswitches.Itcanalsoshowthecurrentstateofan
OpenFlowswitch,includingfeatures,configuration,andtableentries.ItshouldworkwithanyOpenFlowswitch,notjustOpenvSwitch.
Followers
Beforepushingtheflowsweneedtostartmininetswitch.usingbelowcommand(alsoshowninsnapshot). Followers(27)Next
sudomntoposingle,2controllerremote,ip=192.168.56.103:6653switchovsk,protocols=OpenFlow13
where,
192.168.56.103isopenflowpluginControllersIPAddressandprotocols=OpenFlow13statesthatweneedtouseOpenFlowprotocol
version1.3,tcp/6653isusedforOF1.3communicationand6633forOF1.0.
Pointtonotehere,MininetandControllerarerunningondifferentVirtualMachines.

Follow

BlogArchive
2017(2)

2015(26)

2014(40)
December(6)

November(1)

October(2)

September(2)

August(3)

IftheabovecommandissuccessfullyexecutedweshouldseeOF1.3communicationbetweenOVSK(switchs1here)andSDNController. July(5)
Flowscanbeaddedas June(2)

sudoovsofctlOOpenflow13addflows1in_port=1,actions=nw_ttl:2,output:2 May(4)

April(7)

sudoovsofctlOOpenFlow13addflows1priority=11,dl_type=0x0800,nw_src=10.0.0.1,action=mod_tp_dst:8888 March(5)

January(3)
IftheabovecommandissuccessfullyconfiguredonOVSKweshouldsuccessfullydumpflows.
InstallingCPqDswitch,inv
mininet@mininetvm:~$sudoovsofctlOOpenFlow13dumpflowss1 MininetandO...
OFPST_FLOWreply(OF1.3)(xid=0x2):
ovsofctlOVSactioncomm
cookie=0x0,duration=7.443s,table=0,n_packets=0,n_bytes=0,priority=11,ip,nw_src=10.0.0.1 OpenFlow1.3
actions=mod_tp_dst:8888
ovsofctlcommandsonOp
Mininetswitch...
ovsofctlconnectstoanOpenFlowswitchusingssl,tcp(ipandport),socketfile,unixfileetc.ovsofctltalkstoovsvswitchd,andovsvsctl
talkstoovsdbserver.
2013(4)

Detailedoptionscanbefoundat 2012(22)
http://openvswitch.org/cgibin/ovsman.cgi?page=utilities%2Fovsofctl.8 2011(4)

2010(12)

2009(8)
PostedbyPraveenDarshanamat10:11PM +1 Recommend this on Google
2008(1)
Labels:Mininet,OpenFlow,SDN

22 comments UniqueClicks

http://blog.disects.com/2014/01/ovsofctlcommandsonopenflow13.html 1/4
5/18/2017 SecurityUnplugged!!!:ovsofctlcommandsonOpenFlow1.3Mininetswitch(ovsk)

Add a comment TotalPageviews

236,510

SecurityBlogs
Top comments
AVGAnalysis
extraexploit

naveen nani 10 months ago - Shared publicly GoogleSecurity

please let me know how to go to OpenFlow 1.0 in mininet VM ISSFrequencyXBlog

MalwareThreatCenter(SRIIntern
1 Reply
McAfeeLabs
MSMalware
2 years ago
MSSecurityResponse

Hey ,praveen I am doing my major on SDN and need to implement "Threat dtection in SDN and implement SDN Firewall" .Can you
MSDN
tell me how to introduce mallware in the mininet using Python .Also please point me in the right direction about the project.Please
if you have the code or link also provide one. Thanks in advance. SANSDiary
Sophos
Sourcefire
2 years ago SymantecSecurityResponse
I have a ow cookie=0x0, duration=577.05s, table=0, n_packets=24424, n_bytes=362177596, idle_age=2,
Hi, TheHoneynetProject
priority=950,ip,nw_dst=10.201.11.45 actions=enqueue:3q0 how can i delete this particular ow and not others...
Trend
ZDNet

Praveen Darshanam 2 years ago

@Sumit, you neet to look at mininet code. Do git clone of mininet, their wiki might be helpful. @Fidel, to ping from A to B you need BrowserStuff
to add 2 rules. This might be outdated info. I stopped working on ODL/Mininet long back.
IEBlog
GNUCITIZEN
Larholm
Fidel Rosell 2 years ago
BrowserFun
I am doing a project and I have been conguring as many rules as I have thought about it in order to add ows in a fat-tree
Hi.
topology. I have not been able to ping from 1 host to another one. I have used sudo ovs-ofctl add-ow (SW#) ....... for each of the
swtich in the path, setting up in_ports and out_ports for all of them. Please, could you give some answers about it. I have thought Exploits/WhitePaper
creating datapath but I do not understand very well how it works.
IronGeek
OpenRCE

Sumit Paliwal 2 years ago WindowSecurity

Praveen, I am doing my master's thesis on SDN. As part of this, I need to add some extra functionality at the ovsk switch and
Hi SecurityTube
pox controller. I could get source code for pox controller, but not for the ovsk switch in mininet. Kindly tell me where can i get the ExploitDB
source code of ovsk? kindly give few pointers in this context. Your information in this regard is of great help as I am also most
stuck at this time. Regards Sumit
Programming/Codin
TheCodeProject
Naoki 2 years ago MicrosoftTechnologies

Dear Praveen, Now I got OvSwitch 2.0.1 which is installed in mininet version 2.1.0p2. mininet@mininet-vm:~$ ovs-ofctl --version
GoogleCodeBlog
ovs-ofctl (Open vSwitch) 2.0.1 Compiled Feb 23 2014 14:45:29 OpenFlow versions 0x1:0x4 I set switch to support OpenFlow 1.3
using command ovs-vsctl set bridge s1 protocols=OpenFlow10,OpenFlow13 Now, the switch has function of OpenFlow 1.3. I JavaProgramming@SUN
checked from ovs-ofctl -O OpenFlow13 dump-ows s1 But I know that OpenFlow 1.3 has meter table. I try to add meter using CodeGuru
command ovs-ofctl -O OpenFlow13 add-meter s1 meter_id=100,ag=KBPS,band=type:drop,rate:10000 ovs-ofctl -O OpenFlow13
add-ow s1 in_port=1,actions=meter:100,output:2 But the system tell that ovs-ofctl: unknown command 'add-meter'; use --help CafeauLaitJava
help As fas as I know, this version of OvSwitch support OpenFlow 1.3. I wonder why the command 'add-meter' is not available.
Regards,
Networks
TheTCP/IPGuide

Praveen Darshanam 2 years ago CISSPPreparation

@Pankaj Before installing new version of Open vSwitch(ovs) make sure you delete old/default installation. Installing new ovs CCNABlog
without removing old installation might lead to unexpected behaviour. To answer you question it might be using the latest JuniperBlog
installation. I don't think you can run 2 different installations of OVS on a single machine. "--switch user" is for CPqD switch (user
mode) "--switch ovsk" is for Open vSwitch (kernel mode) CCIEBlog

Pankaj Thorat 2 years ago

@RISK:TheConsens
Thanks Praveen. I appreciate your help. You are doing a great job. :) SecurityAlert
SANSFIRE2011

Pankaj Thorat 2 years ago

Praveen, I read all of your blogs they are quite useful and informative. Thanks for uploading your information. I tried to get
Hi IBMInternetSecurit
hands on OVS, mininet and opendaylight. I installed mininet using install.sh -nfv and after that i installed Open vSwitch 2.1.0. SystemsInternetThr
(Basically i Followed following tutorial, to install new version of openvswitch https://github.com/mininet/mininet/wiki/Installing-
new-version-of-Open-vSwitch) I created a topology in mininet and connected to the opendaylight controller using sudo mn --
http://blog.disects.com/2014/01/ovsofctlcommandsonopenflow13.html 2/4
5/18/2017 SecurityUnplugged!!!:ovsofctlcommandsonOpenFlow1.3Mininetswitch(ovsk)
new-version-of-Open-vSwitch) I created a topology in mininet and connected to the opendaylight controller using sudo mn --
custom custom/trial.py --topo mytopo --switch ovsk --controller=remote,ip=192.168.44.144,port=6633 My question is how to
Information
know whether mininet is using the new version of Open-vSwitch or the inbuilt version of openvswitch? what is the difference MultipleAdobeFlashPlayercod
between --switch user and --switch ovsk? i hope ovs supports openow version 1.1 to 1.3, because of following results vulnerabilities
root@ubuntu:/root/openvswitch-2.1.0# sudo ovs-ofctl --version ovs-ofctl (Open vSwitch) 2.1.0 Compiled Aug 30 2014 07:07:34
glibcgethostbynamebufferoverf
OpenFlow versions 0x1:0x4 Thanks, Pankaj vulnerability
Show less
MicrosoftWindowsOLEAutoma
RemoteCodeExecution
VulnerabilityinMicrosoftOLECo
RemoteCodeExecution
Praveen Darshanam 2 years ago

Yeah, the code is open source. I think you can change as per the requirement and commit the functionality to Mininet with proper MicrosoftWindowsOLEcodeex
reviews and everyone in the community feels the functionality is useful for others. Better check with mininet/ovsk for exact
procedure.
USCERTCyberSecu
Alerts
2 years ago
TA17132A:IndicatorsAssociate
Thanks a lot Praveen for the reply.
WannaCryRansomware
TA17117A:IntrusionsAffecting
VictimsAcrossMultipleSectors
2 years ago
TA17075A:HTTPSInterception
Praveen, I have gone through your blog, it is quite informative and helpful, Thanks. Just wondering whether it would be possible
Hi
Security
to customize OpenVswitch (for example add some code changes for enhancing it) and then integrate it into mininet?
TA16336A:Avalanche(crimewa
infrastructure)
TA16288A:HeightenedDDoST
Praveen Darshanam 2 years ago byMiraiandOtherBotnets

Great, it worked! Might be helpful to others:-)

NationalVulnerabilit
Database
2 years ago
CVE20153998
I had to do the following to make it work for me ovs-vsctl set bridge s1 protocols=OpenFlow13
CVE20154070
CVE20163403
CVE20175214
Praveen Darshanam 3 years ago
CVE20175215

ovs-ofctl --version is showing correct version i.e. 0x4=1.3 also check ovs-vswitchd version. It might be an issue with ovs-vswitchd
version

LearnMalwareAnaly
IDAPro,Decompilation,BinaryA
beer 3 years ago
BinaryAuditing
using mininet 2.1.0+, ovswitch 2.0, ubuntu 13.04. It should be ok to use OpenFlow 1.3. But S1 still doesn't show OpenFlow 1.3
I'm
when I run mininet (using protocols=OpenFlow13 and port 6653). I try to use command "ovs-ofctl -O OpenFlow13 dump-ows s1",
version negotiation failed (we support version 0x04, peer supports version 0x01) ryu@ryu-vm:~$ ovs-ofctl --version ovs-ofctl TechnologyNews
(Open vSwitch) 2.0.0 Compiled May 14 2014 20:25:34 OpenFlow versions 0x1:0x4 ryu@ryu-vm:~$ What should I do to let the ocs-
ofctl command run OpenFlow1.3? http://www.heavyreading.com/
http://www.honline.com/
http://www.extremetech.com/
Praveen Darshanam 3 years ago DarkReading
I am using wireshark 1.11, it works ne

hanu_blr 3 years ago

i tried installing OF13 dissector as the link u hv given. I copied the openow.so plugin to the plugin dir of wireshark. loaded ws and
the plugin was shown in about windows ne. Tried with ODL-hydrogen-base controller with -of13, and was able to see the OF13
messages shown correctly. If i tried with OF10 controller, the messages are not decoded correctly. It shows as OF1.0, but elds
are not shown correctly. IS there a plugin which wrks for both OF10 adn OF13 ???

Praveen Darshanam 3 years ago

"./install -a" doesn't install OF1.3 dissector. For manual install follow https://github.com/CPqD/ofdissector
https://github.com/CPqD/ofsoftswitch13/wiki/OpenFlow-1.3-Tutorial

Praveen Darshanam 3 years ago

ovs-ofctl -v should show if it supports OF1.3 or not. If not install 2.0.0 OVSK. 2. Flow Programming Service adds few entries
1.
which are invisibly. I am adding ows by executing commands directly on switch but can also be added using REST/NorthBound
or by writing Apps 3. While installing mininet pass -3 as argument (./install.sh -n3fx etc.) 4. Wireshark 1.11 by default has
OF1.3/1.4 dissector (please cross verify the version) support

http://blog.disects.com/2014/01/ovsofctlcommandsonopenflow13.html 3/4