Table of Contents
ISCSI IN DEEP - WITH WIRESHARK AND TSHARK
iSCSI PDU Formats
iSCSI PDU Formats: iSCSI uses one general PDU format for many purposes. The specific format of an iSCSI PDU is determined by the type of PDU. RFC 7143 defines numerous PDU types to facilitate communication between initiators and targets.
The primary PDU types include:
- login request
- login response
- SCSI command
- SCSI response
- data-out
- data-in
- ready to transfer (R2T)
- selective negative acknowledgment (SNACK) request
- task management function (TMF) request
- TMF response, and reject.
All iSCSI PDUs begin with a basic header segment (BHS). The BHS may be followed by one or more additional header segments (AHS), a header-digest, a data segment, or a data-digest. The data-digest may be present only if the data segment is present.
In iSCSI there are two important operations read and write to manage the data see PDUs (BHS) and the flow of those operations (thanks DELL/EMC iSCSI-Primer)
Using ITT to filter the secuence of read and write operations.
- You must follow the iSCSI data flow using the initiator task tag (ITT) field.
Initiator Task Tag (ITT)—. Storage Networking Protocol Fundamentals This is 32 bits long. It contains a tag assigned by the initiator. An ITT is assigned to each iSCSI task. Likewise, an ITT is assigned to each SCSI task. A SCSI task can represent a single SCSI command or multiple linked commands. Each SCSI command can have many SCSI activities associated with it. A SCSI task encompasses all activities associated with a SCSI command or multiple linked commands. Likewise, an ITT that represents a SCSI task also encompasses all associated activities of the SCSI command(s). An ITT value is unique only within the context of the current session. The iSCSI ITT is similar in function to the FC fully qualified exchange identifier (FQXID).
- You must filter in wireshark using the field iscsi.initiatortasktag == 0xa1500f4a to follow the read or write operations.
- You can create a flow graph with wirekshark
- Check - Limit do display filter
You can check the DataSN in PDU to check the secuence of Data In (Read) or Data Out(Write)
- Data Sequence Number (DataSN):. This is 32 bits long. This field uniquely identifies each Data-Out PDU within each sequence of PDUs. The DataSN is similar in function to the FC SEQ_ID. Each SCSI write command is satisfied with one or more sequences of PDUs. Each PDU sequence is identified by the ITT (for unsolicited data) or the TTT (for solicited data). This field is incremented by one for each Data-Out PDU transmitted within a sequence. A retransmitted Data-Out PDU carries the same DataSN as the original PDU. The counter is reset for each new sequence within the context a single command.
- In below example I filtered by iscsi.initiatortasktag == 0xa15c2c72 and you can see the secuense of DataSN field.
Using tshark command line of Wireshark.
1. Check all the package that are wrong/bad using tcp.analysis.flags parameter and create a new pcap output file.
$ tshark -r snoop-6.net0 -w sol6tcp.analysis.flags_iscsi.initiatortasktag.out tcp.analysis.flags
$ tshark -r tcp_analysis_flags.cap |wc -l 43606
2. Create a new filter with package that only have the iscsi.initiatortasktag
3. Or just show the iscsi ITT (iscsi.initiatortasktag) value.
Then now we can check more in detail each flow with the iscsi.initiatortasktag value
Error Handling oreilly book link
- Protocol error: As its name implies, this is generally a program error and requires restarting the session and error recovery by the SCSI layer.
- CRC detected error:. This error could have been detected on the PDU header or data segment. It can be recovered by resending the data or response PDU or by reissuing the command PDU, depending on what was missing. Some implementations will not be able to recover from this error and will respond as for a protocol error.
- TCP/IP or link failure: This error can often be recovered by restarting another connection and shifting command and data allegiance to it from the failed connection. Some implementations will not be able to recover from such a failure and will respond as for a protocol error.
The session restart, which must be used on protocol errors, can be used on any of the other failures also. Because only session restart is mandatory, some implementations are likely to have only that technique. That is, all error recovery can use what is called technique 0.
Opcode (RFC7143)
The Opcode indicates the type of iSCSI PDU the header encapsulates.
The Opcodes are divided into two categories: initiator Opcodes and target Opcodes. Initiator Opcodes are in PDUs sent by the initiator (Request PDUs). Target Opcodes are in PDUs sent by the target (Response PDUs).
- To filter all the opcode in wireshark
WireShark filter to check if iscsi.opcode is present
iscsi.opcode && iscsi
(iscsi.opcode==0x20 or iscsi.opcode==0x21 or iscsi.opcode==0x22 or iscsi.opcode==0x23 or iscsi.opcode==0x24 or iscsi.opcode==0x25 or iscsi.opcode==0x26 or iscsi.opcode==0x31 or iscsi.opcode==0x32 or iscsi.opcode==0x3c or iscsi.opcode==0x3e or iscsi.opcode==0x3f or iscsi.opcode==0x00 or iscsi.opcode==0x01 or iscsi.opcode==0x02 or iscsi.opcode==0x03 or iscsi.opcode==0x04 or iscsi.opcode==0x05 or iscsi.opcode==0x06 or iscsi.opcode==0x10 or iscsi.opcode==0x1c or iscsi.opcode==0x1e) && iscsi
- Target OpCodes
- wireshark to filter all the Target opcode
(iscsi.opcode==0x20 or iscsi.opcode==0x21 or iscsi.opcode==0x22 or iscsi.opcode==0x23 or iscsi.opcode==0x24 or iscsi.opcode==0x25 or iscsi.opcode==0x26 or iscsi.opcode==0x31 or iscsi.opcode==0x32 or iscsi.opcode==0x3c or iscsi.opcode==0x3e or iscsi.opcode==0x3f) && iscsi
- Initiator OpCodes
- WireShark To filter all the Initiator opcode
(iscsi.opcode==0x00 or iscsi.opcode==0x01 or iscsi.opcode==0x02 or iscsi.opcode==0x03 or iscsi.opcode==0x04 or iscsi.opcode==0x05 or iscsi.opcode==0x06 or iscsi.opcode==0x10 or iscsi.opcode==0x1c or iscsi.opcode==0x1e) && iscsi
Status (RFC7143)
- WireShark filter for SCSI status of the command
- WireShark filter for status response
Reject - Reason - RFC7143
Note 1: For iSCSI, Data-Out PDU retransmission is only done if the target requests retransmission with a recovery R2T. However, if this is the data digest error on immediate data, the initiator may choose to retransmit the whole PDU, including the immediate data.
Note 2: A target should use this reason code for all invalid values of PDU fields that are meant to describe a task, a response, or a data transfer. Some examples are invalid TTT/ITT, buffer offset, LUN qualifying a TTT, and an invalid sequence number in a SNACK.
WireShark filter to check if iscsi.opcode is present
iscsi.reject.reason && iscsi
(iscsi.reject.reason==0x00 or iscsi.reject.reason==0x02 or iscsi.reject.reason==0x08 or iscsi.reject.reason==0x18 or iscsi.reject.reason==0x28 or iscsi.reject.reason==0x30 or iscsi.reject.reason==0x40 or iscsi.reject.reason==0x00 or iscsi.reject.reason==0x01 or iscsi.reject.reason==0x80 or iscsi.reject.reason==0xff) && iscsi