WCCP Protocol plus Wireshark Capture
WCCP
Refer to this Wireshark Capture. OR: view it now via Cloudshark
Alternatively, Download: WCCPv2.pcap and continue reading..
Registration:
Accelerator or Engine is a WCCP client
Registers WCCP services (0-255) with “Here I Am” if application is operational
Registration announces WCCP client on service group, provides availability notification, requests interesting traffic
Transmits “Here I Am” every 10 seconds
Lead WCCP client (lowest IP address) instructs routers on protocol/port, assignment, forwarding, and return methods
Router is a WCCP server
Accepts service group registration (0-255)
Acknowledges “Here I Am” with “I See You”
Waits 30 (3×10) seconds before declaring engine failed
Announce engines to other engines
Router id is highest interface IP or highest loopback IP if one exists
Redirects traffic to engine
Assignment: (Note, see this post “WCCP Load Distribution (Hash and Mask)” to understand how this works.
Selects an engine in the cluster
Hash 256 buckets
Mask 128 buckets represented by 7 bit mask of the source or destination IP/Port
Redirect from Router to Cache Engine:
Redirect list allows router to permit/deny traffic to intercept
Two methods of redirection:
WCCP L2: Local subnet only, little overhead. Rewrites packet MAC address to that of the local Engine
WCCP GRE: Any IP-Subnet, more overhead. Creates tunnel from router to local or remote Engine.
Return from Cache Engine to Router:
WCCP GRE return (the IP headers are encapsulated usuing transport-mode, adding GRE headers. This is used when the targets are on different subnets to the cache engine
WCCP L2 return
Engine can optionally return traffic any other way including routing
