Configure Parsing of Network Packets

The parser configuration controls how Mermin's eBPF programs detect and parse tunneled traffic by specifying UDP ports for VXLAN, Geneve, and WireGuard.

Overview

Mermin's parser configuration allows you to:

Specify UDP ports for tunnel protocol detection (VXLAN, Geneve, WireGuard)
Match your CNI or overlay network's tunnel port settings so inner (pod) traffic is visible

Correct port configuration ensures flows show inner source/destination (e.g., pod IPs) instead of only tunnel endpoints (node IPs). These settings do not add configurable parsing depth or IPv6 extension options; only tunnel ports are configurable.

Configuration

parser {
  # Tunnel port detection
  geneve_port = 6081
  vxlan_port = 4789
  wireguard_port = 51820
}

Configuration Options

Tunnel Port Detection

`geneve_port`

Type: Integer (port number) Default: 6081

UDP port number for Geneve tunnel detection.

Description:

Geneve (Generic Network Virtualization Encapsulation) is a tunneling protocol
IANA assigned port: 6081
Used by various cloud networking solutions and SDN controllers

When to customize:

Your environment uses non-standard Geneve port
Network policy requires specific port assignment
Conflict with other services on standard port

Example:

parser {
  geneve_port = 6081  # IANA standard (default)
}

Custom port example:

parser {
  geneve_port = 7081  # Custom port
}

`vxlan_port`

Type: Integer (port number) Default: 4789

UDP port number for VXLAN tunnel detection.

Description:

VXLAN (Virtual Extensible LAN) is a network virtualization technology
IANA assigned port: 4789
Commonly used in Kubernetes networking (Flannel, Calico, NSX-T)

When to customize:

Your CNI or network plugin uses non-standard VXLAN port
Legacy VXLAN deployments using older port assignments
Custom overlay network configuration

Example:

parser {
  vxlan_port = 4789  # IANA standard (default)
}

Custom port example:

parser {
  vxlan_port = 8472  # Flannel's default in older versions
}

`wireguard_port`

Type: Integer (port number) Default: 51820

UDP port number for WireGuard tunnel detection.

Description:

WireGuard is a modern VPN protocol
Default port: 51820 (not IANA assigned, but widely adopted)
Used for secure site-to-site or pod-to-pod encrypted connections

When to customize:

WireGuard configured with custom listen port
Multiple WireGuard tunnels with different ports
Security requirements for non-default ports

Example:

parser {
  wireguard_port = 51820  # Default WireGuard port
}

Custom port example:

parser {
  wireguard_port = 51821  # Custom WireGuard port
}

How Tunnel Parsing Works

Packet Processing Flow

Outer Header Parsing:
- Mermin's eBPF program examines the outer IP header
- Checks UDP destination port against configured tunnel ports
Tunnel Type Detection:
- If port matches vxlan_port → Parse as VXLAN
- If port matches geneve_port → Parse as Geneve
- If port matches wireguard_port → Parse as WireGuard
Inner Header Parsing:
- Extract encapsulated packet
- Parse inner IP, TCP/UDP headers
- Generate flow records using inner headers
Flow Attributes:
- Flow records contain both outer and inner header information
- Tunnel type is recorded in flow metadata
- Enables tracking of overlay network traffic

Tunnel Detection Benefits

Without tunnel parsing:

Flows show only tunnel endpoints (node IPs)
Cannot see actual source/destination of encapsulated traffic
Limited visibility into overlay network communication

With tunnel parsing:

Flows show inner source/destination (pod IPs)
Complete visibility into overlay traffic
Accurate flow accounting for containerized workloads

CNI-Specific Configurations

Flannel with VXLAN

Flannel typically uses VXLAN on port 8472 (older) or 4789 (newer):

parser {
  vxlan_port = 4789  # Modern Flannel
  # vxlan_port = 8472  # Legacy Flannel
}

Calico with VXLAN

Calico uses standard VXLAN port when VXLAN mode is enabled:

parser {
  vxlan_port = 4789  # Calico VXLAN
}

Cilium with Geneve

Cilium can use Geneve for overlay networking:

parser {
  geneve_port = 6081  # Cilium Geneve overlay
}

WireGuard Encryption

If using WireGuard for pod-to-pod encryption:

parser {
  wireguard_port = 51820  # Default WireGuard
}

NSX-T

VMware NSX-T uses Geneve:

parser {
  geneve_port = 6081  # NSX-T overlay
}

Determining Your Configuration

Identifying VXLAN Port

Flannel:

# Check Flannel configuration
kubectl -n kube-system get configmap kube-flannel-cfg -o yaml | grep -i port

# Or check pod arguments
kubectl -n kube-system get pod -l app=flannel -o yaml | grep -i port

Calico:

# Check Calico configuration
kubectl get felixconfiguration default -o yaml | grep -i vxlan

Identifying Geneve Port

Cilium:

# Check Cilium config
kubectl -n kube-system get configmap cilium-config -o yaml | grep -i geneve

NSX-T:

# Typically uses default Geneve port 6081
# Check NSX-T configuration documentation

Identifying WireGuard Port

# Check WireGuard configuration
kubectl get configmap -n kube-system -o yaml | grep -i wireguard

# Or check node configuration
ssh node "sudo wg show"

Multiple Tunnel Types

Some environments use multiple tunnel types simultaneously. Configure all relevant ports:

parser {
  # VXLAN for main overlay network (Flannel)
  vxlan_port = 4789

  # Geneve for service mesh (NSX-T)
  geneve_port = 6081

  # WireGuard for encryption
  wireguard_port = 51820
}

Performance Considerations

Impact of Tunnel Parsing

CPU Usage: Minimal overhead for tunnel header parsing
Memory: No additional memory required
Accuracy: Significantly improves flow accuracy in overlay networks

When to Disable

Tunnel parsing cannot be disabled, but misconfigured ports may cause:

Incorrect tunnel detection
Flows attributed to wrong source/destination
Missing inner packet information

Validation

Verify tunnel parsing is working:

Check Flow Records

# View flow logs
kubectl logs -l app.kubernetes.io/name=mermin --tail=20

# Look for tunnel information in flow records
# Should see inner IP addresses (pod IPs) not just node IPs

Compare With/Without Tunnel Parsing

Without proper configuration:

Flows show: Node IP A → Node IP B (outer headers only)
Protocol: UDP (tunnel protocol)
Ports: tunnel ports (4789, 6081, etc.)

With proper configuration:

Flows show: Pod IP X → Pod IP Y (inner headers)
Protocol: TCP/UDP/ICMP (actual application protocol)
Ports: application ports (80, 443, etc.)

eBPF Verifier Considerations

Understanding Verifier Complexity

The Linux eBPF verifier analyzes all possible execution paths in the program to ensure safety. Parser configuration directly impacts verifier complexity:

Symptoms of verifier failure:

BPF program is too large. Processed 1000001 insn
verification time 3775231 usec

Resolution steps:

Update kernel (if possible): Newer kernels (5.14+) have improved verifier efficiency

Recommended Configurations by Environment

Standard Kubernetes (Kind, K3s, Cloud providers):

parser {
  # Tunnel detection
  geneve_port = 6081
  vxlan_port = 4789
  wireguard_port = 51820
}

Constrained environments (older kernels, K3s on edge):

parser {
  # Tunnel detection
  geneve_port = 6081
  vxlan_port = 4789
  wireguard_port = 51820
}

Advanced networks (SRv6, multicast, specialized):

parser {
  # Tunnel detection
  geneve_port = 6081
  vxlan_port = 4789
  wireguard_port = 51820
}

Complete Configuration Example

# Parser configuration - complete example
parser {
  # Tunnel protocol detection ports
  geneve_port = 6081      # Cilium, NSX-T (IANA standard)
  vxlan_port = 4789       # Flannel, Calico (IANA standard)
  wireguard_port = 51820  # WireGuard VPN (default port)
}

Troubleshooting

Seeing Only Tunnel Endpoints in Flows

Symptoms: Flows show node IPs instead of pod IPs

Solutions:

Verify tunnel port configuration matches your CNI
Check CNI documentation for port settings
Inspect actual tunnel traffic: tcpdump -i any -n udp port 4789

Incorrect Tunnel Detection

Symptoms: Flows misattributed or missing

Solutions:

Confirm tunnel ports with CNI configuration
Check for port conflicts with other services
Review eBPF program logs for parsing errors

Multiple Ports for Same Protocol

If your environment uses multiple ports for the same tunnel protocol (e.g., multiple VXLAN configurations), Mermin currently supports only one port per protocol type. Choose the most commonly used port or consult support for multi-port scenarios.

Best Practices

Use IANA defaults: Unless you have a specific reason, use the default ports
Document customizations: If using custom ports, document why in comments
Validate after changes: Test flow accuracy after modifying parser configuration
Match CNI configuration: Ensure parser ports match your CNI's tunnel ports
Monitor metrics: Watch for anomalies after configuration changes

Next Steps

Configure Network Interfaces: Select which interfaces to monitor
Filter Flows by Protocol: Reduce noise from specific protocols

Need Help?

Troubleshoot Parser Issues: Resolve eBPF verifier failures
GitHub Discussions: Ask about tunnel protocol handling

PreviousNetwork Interface Discovery NextFlow Span Producer

Last updated 7 days ago

hashtagOverview

hashtagConfiguration

hashtagConfiguration Options

hashtagTunnel Port Detection

hashtaggeneve_port

hashtagvxlan_port

hashtagwireguard_port

hashtagHow Tunnel Parsing Works

hashtagPacket Processing Flow

hashtagTunnel Detection Benefits

hashtagCNI-Specific Configurations

hashtagFlannel with VXLAN

hashtagCalico with VXLAN

hashtagCilium with Geneve

hashtagWireGuard Encryption

hashtagNSX-T

hashtagDetermining Your Configuration

hashtagIdentifying VXLAN Port

hashtagIdentifying Geneve Port

hashtagIdentifying WireGuard Port

hashtagMultiple Tunnel Types

hashtagPerformance Considerations

hashtagImpact of Tunnel Parsing

hashtagWhen to Disable

hashtagValidation

hashtagCheck Flow Records

hashtagCompare With/Without Tunnel Parsing

hashtageBPF Verifier Considerations

hashtagUnderstanding Verifier Complexity

hashtagRecommended Configurations by Environment

hashtagComplete Configuration Example

hashtagTroubleshooting

hashtagSeeing Only Tunnel Endpoints in Flows

hashtagIncorrect Tunnel Detection

hashtagMultiple Ports for Same Protocol

hashtagBest Practices

hashtagNext Steps

hashtagNeed Help?

Overview

Configuration

Configuration Options

Tunnel Port Detection

`geneve_port`

`vxlan_port`

`wireguard_port`

How Tunnel Parsing Works

Packet Processing Flow

Tunnel Detection Benefits

CNI-Specific Configurations

Flannel with VXLAN

Calico with VXLAN

Cilium with Geneve

WireGuard Encryption

NSX-T

Determining Your Configuration

Identifying VXLAN Port

Identifying Geneve Port

Identifying WireGuard Port

Multiple Tunnel Types

Performance Considerations

Impact of Tunnel Parsing

When to Disable

Validation

Check Flow Records

Compare With/Without Tunnel Parsing

eBPF Verifier Considerations

Understanding Verifier Complexity

Recommended Configurations by Environment

Complete Configuration Example

Troubleshooting

Seeing Only Tunnel Endpoints in Flows

Incorrect Tunnel Detection

Multiple Ports for Same Protocol

Best Practices

Next Steps

Need Help?