Skip to main content

Aviz Networks details vasn_tap packet tap for Linux visibility

Aviz Networks introduced vasn_tap, a Linux-based packet tap for cloud-native network visibility that captures traffic, optionally filters and truncates packets, and forwards them locally or via userspace VXLAN or GRE without kernel tunnel devices.

Research Overview

Vasn_tap is presented as a lightweight, production-grade tool built to copy traffic from a configured source interface on Linux hosts. It supports operational use cases where packets must be captured, filtered, truncated, and delivered to monitoring or security systems.

The post describes vasn_tap as a companion to the Aviz Service Node (ASN). It provides two capture backends and a configuration-driven approach intended to keep deployment and runtime behavior straightforward.

Key Findings

The blog states that vasn_tap can use AF_PACKET for most deployments and eBPF for newer kernels described as requiring at least 5.10 with BTF. It also states that userspace encapsulation supports forwarding through VXLAN or GRE, and that the tool supports direct L2 forwarding to a local output interface.

Vasn_tap exposes first-match ACL filtering and optional post-filter truncation, with default_action set to allow or drop. The post also emphasizes that configuration is defined in a single YAML file, with changes applied after a clean restart.

Technical Breakdown

For per-packet processing, the blog describes first-match ACL filtering up to 128 rules using criteria that include protocol and ports, IPv4 addresses and CIDR, eth_type, and single VLAN support. It further describes optional post-filter truncation in the 64–9000 byte range with automatic updates to IPv4 length and checksum.

For forwarding, it outlines userspace VXLAN using a VNI and custom port, and GRE with an optional key. It also includes a drop mode when no output or tunnel is configured, described as useful for counting or monitoring.

Operational Impact

The post describes operational visibility through file-based statistics updated every second, including RX, TX, drop, truncation, filter-hit counts, rates, CPU percentage, and RSS. It also references a vasn_tapctl counters --watch mode for monitoring behavior.

It lists operational management functions in vasn_tapctl, including validate, apply, start, stop, restart, diagnose, dry-run, version, logs, and generation of a one-command technical-support bundle. The blog also notes production-oriented behaviors such as graceful shutdown and documented root and CAP requirements, and that the tool does not create kernel tunnel devices and does not include encryption.

Blog Signals brief is a fact-based summary of this vendor blog post about vasn_tap’s Linux-based packet capture, optional per-packet filtering and truncation, and userspace-forwarding options, along with the described operational tooling and deployment approach for enterprise IT and security leaders.