[Nfsen-discuss] nfsen FHS'd on Debian Jessie

Alfredo Sola Mon, 24 Mar 2014 08:54:28 -0700

        Good day,

        I have been using now and then nfsen/nfdump for some years, but I don't 
claim to be an expert.


        As a platform for detecting trouble early (we could call that VEDA, 
yes? Very Early DDoS Alert :) it is as good as things can conceivably be, in my 
opinion. It is also a very convenient way to peek on network traffic. I'd say 
that it fulfills those design goals quite nicely.

        In my latest implementation, I am struggling with two things: Make it 
work with a directory layout as FHS as possible, and script some early response 
when trouble comes down the pipes.

        As for the first question, I have 'apt-get nfdump' and that works, but 
have been unable to make nfsen work. It does start nfcapd among some complains 
about Perl (which is at version 5.18.2, which I understand should work) and I 
can nfdump stuff out of the nfcapd files, but the web page says, "Frontend - 
Backend version missmatch!" and "No data available!". I have been searching 
this list in particular and the web in general, and applied the session patch, 
but nothing helped.

        I noticed there was at one point a mentoring request on Debian to pack 
nfsen up, but it was withdrawn. Lack of interest? I'd love to be able to 
apt-get install nfsen and have things just work, and I'm willing to put down 
some resources towards that.

        Regarding the second question, I notice that there is currently no way 
to have nfsen start nfcapd with custom args. I want to start nfcapd with -x 
/usr/local/bin/somescript %d/%f so that I can run a custom nfdump analysis as 
soon as a five-minute period is done, but for that the only solution is to 
either edit NfSenRC.pm (and therefore when updating one needs to remember 
patching it up again), or use something like incron. So I'd like to make that a 
feature request, to provide support for a -x parameter or custom additional 
parameters in nfsen.conf.

        Thanks for any pointers, answers, ideas and cluebaits.

        System information:

--------------------------------8<--------------------------------
$ dpkg -l librrds-perl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                       Version            Architecture       Description
+++-==========================-==================-==================-=========================================================
ii  librrds-perl               1.4.7-2.1          amd64              
time-series data storage and display system (Perl interfa
--------------------------------8<--------------------------------
$ nfdump -V
nfdump: Version: 1.6.8p1 $Date: 2012-11-10 12:40:54 +0100 (Sat, 10 Nov 2012) $
--------------------------------8<--------------------------------
root@monitor1:~# nfsen -V
Subroutine Lookup::pack_sockaddr_in6 redefined at 
/usr/share/perl/5.18/Exporter.pm line 66.
 at /usr/local/bin/libexec/Lookup.pm line 43.
Subroutine Lookup::unpack_sockaddr_in6 redefined at 
/usr/share/perl/5.18/Exporter.pm line 66.
 at /usr/local/bin/libexec/Lookup.pm line 43.
Subroutine Lookup::sockaddr_in6 redefined at /usr/share/perl/5.18/Exporter.pm 
line 66.
 at /usr/local/bin/libexec/Lookup.pm line 43.
Subroutine AbuseWhois::pack_sockaddr_in6 redefined at 
/usr/share/perl/5.18/Exporter.pm line 66.
 at /usr/local/bin/libexec/AbuseWhois.pm line 42.
Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at 
/usr/share/perl/5.18/Exporter.pm line 66.
 at /usr/local/bin/libexec/AbuseWhois.pm line 42.
Subroutine AbuseWhois::sockaddr_in6 redefined at 
/usr/share/perl/5.18/Exporter.pm line 66.
 at /usr/local/bin/libexec/AbuseWhois.pm line 42.
Subroutine AbuseWhois::pack_sockaddr_in6 redefined at 
/usr/local/bin/libexec/AbuseWhois.pm line 44.
Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at 
/usr/local/bin/libexec/AbuseWhois.pm line 44.
Subroutine AbuseWhois::sockaddr_in6 redefined at 
/usr/local/bin/libexec/AbuseWhois.pm line 44.
/usr/local/bin/nfsen: 1.3.6p1 $Id: nfsen 53 2012-01-23 16:36:02Z peter $
--------------------------------8<--------------------------------
$ egrep -v '(^#|^$)' /etc/nfsen/nfsen.conf
$BASEDIR = "/var/cache/nfdump";
$BINDIR="/usr/local/bin";
$LIBEXECDIR="${BINDIR}/libexec";
$CONFDIR="/etc/nfsen";
$HTMLDIR    = "/srv/mynicenfsenweb";
$DOCDIR="${HTMLDIR}/doc";
$VARDIR="${BASEDIR}/var";
$PIDDIR="/run/nfsen";
$PROFILESTATDIR="${BASEDIR}/profiles-stat";
$PROFILEDATADIR="${BASEDIR}/profiles-data";
$BACKEND_PLUGINDIR="${BASEDIR}/plugins";
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
$PREFIX  = '/usr/bin';
$USER    = "www-data";
$WWWUSER  = "www-data";
$WWWGROUP = "www-data";
$BUFFLEN = 200000;
$SUBDIRLAYOUT = 1;
$ZIPcollected    = 1;
$ZIPprofiles     = 1;
$PROFILERS = 2;
$DISKLIMIT = 95;
$PROFILERS = 6;
%sources = (
    'r1'        => { 'port' => '9996', 'IP' => '10.2.3.2', 'col' => '#0000FF' },
);
$low_water = 90;
$syslog_facility = 'local3';
@plugins = (
    # profile    # module
    # [ '*',     'demoplugin' ],
);
%PluginConf = (
        # For plugin demoplugin
        demoplugin => {
                # scalar
                param2 => 42,
                # hash
                param1 => { 'key' => 'value' },
        },
        # for plugin otherplugin
        otherplugin => [
                # array
                'mary had a little lamb'
        ],
);
$MAIL_FROM   = '[email protected]';
$SMTP_SERVER = 'localhost';
$MAIL_BODY       = q{
Alerta: '@alert@' en @timeslot@
};
1;
--------------------------------8<--------------------------------
Some syslog:
Mar 24 16:20:00 monitor1 nfcapd[1840]: Ident: 'r1' Flows: 168458, Packets: 
9271494, Bytes: 1978520360, Sequence Errors: 3, Bad Packets: 0
Mar 24 16:20:00 monitor1 nfcapd[1840]: Total ignored packets: 0
Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10206
Mar 24 16:20:15 monitor1 nfsen[10206]: Cmd Decode: signal
Mar 24 16:20:15 monitor1 nfsen[10206]: Cmd Decode: quit
Mar 24 16:20:15 monitor1 nfsen[1934]: Signal 'start-periodic'
Mar 24 16:20:15 monitor1 nfsen[1934]: Run periodic at Mon Mar 24 16:20:00 2014
Mar 24 16:20:15 monitor1 nfsen[1934]: Prepare profiling './live'
Mar 24 16:20:15 monitor1 nfsen[1934]: 1 channels/alerts to profile
Mar 24 16:20:15 monitor1 nfsen[1934]: Limit profilers: 1
Mar 24 16:20:15 monitor1 nfsen[10207]: profile opts: .#~pps#8#pps#r1 for 
profiler 0
Mar 24 16:20:15 monitor1 nfsen[10207]: profiler 0 started
Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10206] terminated with no exit 
value
Mar 24 16:20:15 monitor1 nfprofile[10208]: Process line '.#~pps#8#pps#r1#012'
Mar 24 16:20:15 monitor1 nfprofile[10208]: Setup channel 'pps' in profile 
'~pps' group '.', channellist 'r1'
Mar 24 16:20:15 monitor1 nfsen[10207]: profiler 0 finished
Mar 24 16:20:15 monitor1 nfsen[1934]: Update profile live in group .
Mar 24 16:20:15 monitor1 nfsen[1934]: Add channel size 930033664
Mar 24 16:20:15 monitor1 nfsen[1934]: Set new profile size: 930033664
Mar 24 16:20:15 monitor1 nfsen[1934]: Add .:live:201403241615 for plugin 
processing
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
traffic-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 337.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
traffic-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 346.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
traffic-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 356.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
traffic-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 366.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
packets-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 337.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
packets-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 346.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
packets-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 356.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
packets-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
line 366.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, flows-day: 
Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm line 337.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, flows-day: 
Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm line 346.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, flows-day: 
Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm line 356.
Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
directory
Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, flows-day: 
Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm line 366.
Mar 24 16:20:15 monitor1 nfsen[1934]: Error graph update: Error GenGraph: 
Profile: live, flows-day: Legend set but no color: r1
Mar 24 16:20:15 monitor1 nfsen[1934]: Run plugins for 201403241615
Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10210
Mar 24 16:20:15 monitor1 nfsen[10210]: Cmd Decode: run-plugins
Mar 24 16:20:15 monitor1 nfsen[10210]: Plugin Cycle: ., live, 201403241615
Mar 24 16:20:15 monitor1 nfsen[10210]: Cmd Decode: quit
Mar 24 16:20:15 monitor1 nfsen[1934]: Run plugins done.
Mar 24 16:20:15 monitor1 nfsen[1934]: Check alerts for Mon Mar 24 16:15:00 2014
Mar 24 16:20:15 monitor1 nfsen[1934]: Process alert 'pps'
Mar 24 16:20:15 monitor1 nfsen[1934]: alert 'pps': conditions based on total 
flow summary
Mar 24 16:20:15 monitor1 nfsen[1934]: condition 0: evaluated to False
Mar 24 16:20:15 monitor1 nfsen[1934]: Resulted condition: False
Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' condition == false
Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Status: 1.
Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Blocks: 0.
Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Info  : .
Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' done.
Mar 24 16:20:15 monitor1 nfsen[1934]: Check alerts done.
Mar 24 16:20:15 monitor1 nfsen[1934]: Run expire at Mon Mar 24 16:20:00 2014
Mar 24 16:20:15 monitor1 nfsen[1934]: Expire profile live group . low water 
mark: 90%%
Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10210] terminated with no exit 
value
Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Include nfcapd bookeeping 
record in /var/cache/nfdump/profiles-data/./live/r1
Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired files:      0
Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired file size:  0 B
Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired time range: 0 sec
Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire:
Mar 24 16:20:15 monitor1 nfsen[1934]: End expire at Mon Mar 24 16:20:00 2014
Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10214
Mar 24 16:20:15 monitor1 nfsen[10214]: Cmd Decode: signal
Mar 24 16:20:15 monitor1 nfsen[10214]: Cmd Decode: quit
Mar 24 16:20:15 monitor1 nfsen[1934]: Signal 'end-periodic'
Mar 24 16:20:15 monitor1 nfsen[10214]: Cleanup Routine
Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10214] terminated with no exit 
value
Mar 24 16:22:31 monitor1 nfsen[1935]: connection on UNIX socket
Mar 24 16:22:31 monitor1 nfsen[1935]: comm server started: 10265
Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-globals
Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-du
Mar 24 16:22:31 monitor1 nfsen[10265]: comm child[10266] terminated with no 
exit value
Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-profile
Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: quit
Mar 24 16:22:31 monitor1 nfsen[1935]: comm child[10265] terminated with no exit 
value

-- 
Alfredo Sola
http://www.tecnocratica.net/





------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

[Nfsen-discuss] nfsen FHS'd on Debian Jessie

Reply via email to