Re: [Nfsen-discuss] Problems with profiles other than live

Peter Haag Wed, 22 Aug 2007 07:39:03 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On August 20, 2007 21:56:54 -0400 "Brown, Robin" <[EMAIL PROTECTED]> wrote:

| I am now experiencing this issue.  New install of:
|
| nfdump: Version: snapshot-20070808 $LastChangedDate: 2007-03-06 09:49:26
| +0100 (Tue, 06 Mar 2007) $
| $Id: nfdump.c 88 2007-03-06 08:49:26Z peter $
|
| ./nfsen: 1.3b-20070720 $Id: nfsen 18 2007-07-20 12:33:25Z phaag $
|
| Profiles other than live are not updated.  The relevant directories and
| rrd files get created but are never updated.  I removed all special
| characters from the profile names, still no updating.
|
| Any advice?


Just for the list. There were some reports about not updated profiles other 
than 
live. At least in Robin's case it turned out, that some inconsistencies 
triggered a 
bug in nfprofile.c. Many thanks to Robin for endless testing and mailing with 
me 
offline.
The patch below fixes the bug in nfprofile.c. Those having the same problem may 
apply 
the patch recompile and reinstall nfprofile.

Hope this helps.

- --- nfprofile.c.orig      2007-08-06 10:21:18.000000000 +0200
+++ nfprofile.c 2007-08-22 10:02:47.000000000 +0200
@@ -499,6 +499,12 @@

                list = &((*list)->next);
        }
+
+       if ( *list != NULL ) {
+               free(*list);
+               *list = NULL;
+       }
+
        if ( ferror(stdin) ) {
                fprintf(stderr, "fgets() error: %s", strerror(errno));
                return NULL;


|
| -Robin
|
|
| -----Original Message-----
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of Peter
| Haag
| Sent: Monday, August 06, 2007 4:28 AM
| To: Felix Schueren; [email protected];
| [EMAIL PROTECTED]
| Subject: Re: [Nfsen-discuss] Problems with profiles other than live
|
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Felix, Chris,
| For a quick fix: Apply the patch below to the file scanner.l and
| recompile nfdump.
|
|     - Peter
|
|
| - --- scanner.l.orig      2007-08-06 10:23:25.000000000 +0200
| +++ scanner.l   2007-08-06 10:23:34.000000000 +0200
| @@ -84,7 +84,7 @@
|                                         yylval.s = strdup(yytext);
|                         return IPSTRING;
|                                 }
| - -ident[ \t]+[a-zA-Z0-9_]+ {
| +ident[ \t]+[a-zA-Z0-9_\-]+ {
|                                         char *p = &(yytext[5]);
|                                         while ( *p == ' ' || *p == '\t'
| ) p++;
|                                         yylval.s = strdup(p);
|
|
| - --On August 2, 2007 13:51:55 +0200 Felix Schueren
| <[EMAIL PROTECTED]> wrote:
|
| | I ran into the same problem as Chris Waters did - nfsen works nicely,
| | any profile other than default/live does get created but never
| receives
| | any data. After debugging this for a while, it appears that nfprofile
| | does not handle channel_sourcelist entries with dashes ("-"):
| |
| |
| | [EMAIL PROTECTED]:/usr/src/nfdump-snapshot-20070312# nfprofile -I -p
| | /var/flows/nfsen/profiles-data -P /var/flows/nfsen/profiles-stat -S 1
| -M
| | /var/flows/nfsen/profiles-data/live/jc-blue_cgn1:jcore1_cgn2 -r
| | nfcapd.200708021150
| | Blubb#Test-HTTP#2#Egress#jc-blue_cgn1|jcore1_cgn2
| | Process line 'Blubb#Test-HTTP#2#Egress#jc-blue_cgn1|jcore1_cgn2
| | '
| | Setup channel 'Egress' in profile 'Test-HTTP' group 'Blubb',
| channellist
| | 'jc-blue_cgn1|jcore1_cgn2'
| | Filter: (ident jc-blue_cgn1 or ident jcore1_cgn2) and (port 80)
| | line 1: syntax error at '-'
| |
| | creating a profile with just "jcore1.cgn2" works fine. I could see
| that
| | Chris had router ident names like "rus-kla-ops-1" so that's probably
| the
| | same issue.
| |
| | I haven't been able to figure out the exact problem within
| nfprofile.c,
| | somebody with better C skills needs to do that :p
| |
| | Oh, and also nfsend should probably not fail silently when this
| happens.
| |
| | kind regards,
| |
| | Felix
| |
| | --
| | Felix Schueren, Head of NOC
| |
| | mailto:[EMAIL PROTECTED]
| |
| | Host Europe GmbH - http://www.hosteurope.de
| | Welserstrasse 14 - D-51149 Koeln - Germany
| | Telefon (0800) 4678387 - Telefax (01805) 663233
| | HRB 28495 Amtsgericht Koeln - UST ID DE187370678
| | Geschaeftsfuehrer U. Braun - M. Read - S. Porter
| |
| | Fuer diese Nachricht gilt: http://www.hosteurope.de/disclaimer.html
| |
| |
| ------------------------------------------------------------------------
| -
| | This SF.net email is sponsored by: Splunk Inc.
| | Still grepping through log files to find problems?  Stop.
| | Now Search log events and configuration files using AJAX and a
| browser.
| | Download your FREE copy of Splunk now >>  http://get.splunk.com/
| | _______________________________________________
| | Nfsen-discuss mailing list
| | [email protected]
| | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
|
|
|
| - --
| _______ SWITCH - The Swiss Education and Research Network ______
| Peter Haag,  Security Engineer,  Member of SWITCH CERT
| PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
| SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
| E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.4.3 (Darwin)
|
| iQCVAwUBRrbbgf5AbZRALNr/AQKpdAP/c63Iq2f3jkbHJRapjcfoOSkp+o3Yszdo
| EbNqdRurszkO3vBQQog3NxzWQHNZDHAj/VwYaSakM+5IKRJ+LXsjo+GGLoZMUt0w
| PIeXqCQ2tWGDkMhxOKGS4Dm7304A6s+WMsi6JAdhUeaFXk7sDFUSnlaQH4rAZiyh
| wrOguu+REeE=
| =50cZ
| -----END PGP SIGNATURE-----
|
|
| ------------------------------------------------------------------------
| -
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems?  Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >>  http://get.splunk.com/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems?  Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >>  http://get.splunk.com/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss



- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iQCVAwUBRsxKd/5AbZRALNr/AQLPkQP/ftS+6VOasNF3t9Q2b4nqMUajSQ54fQ7h
Hnfs7qFmbBHSTnBMWvksqDV9Dua+Q2/dhRjaFj36dGwwD4gHnQwdJY2lwH5yEtHI
GlqSIExpVB+O04sDoGK6YZreWOdoG1IGWjCPj9G4h3yAY8Vu3iUmcVwRLh26FbXI
8vKYn32UeMY=
=lY3t
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] Problems with profiles other than live

Reply via email to