*** 0/ Short story
======================================================
ntop2.2c on w2k having (at least) two exact same NICs (same model, same
manufacturer, ..., but different MAC and IP) crashes after approx. less than 1
minute. Time varies depending to traffic.
Bug is reproductible and have been reproduced on different boxes by the writter
of this mail.
Read long story below (test cases to reproduce the bug + very possible cause)...
*** 1/ Version info
======================================================
We use the ntop 2.2.c for Win32 "ready to install package", bought last year on
ntop.org : ntop.exe v.2.1.92 MT [WinNT/2K/XP] (2003-04-10 build).
2/ Tech context
We have installed ntop on a w2k box, having 3 nics :
[index=0] D-Link DFE-530TX PCI Fast Ethernet Adapter
(\Device\NPF_{4CB9FAD0-0623-4920-95A1-8ACCFDE503CF})
[index=1] D-Link DFE-530TX PCI Fast Ethernet Adapter
(\Device\NPF_{8F7A9FC7-07F0-45C3-92C7-55E9C98191C5})
[index=2] Intel 8255x-based Integrated Fast Ethernet
(\Device\NPF_{47E0303B-F7B7-41F4-B5E5-70AA8E83E4A4})
*** 3/ Reproducing bug
======================================================
3.1/ Test case #1 - CRASH
- delete files and subdirs in C:\Program Files\ntop-Win32
\rrd\{interfaces,graphics,flows} - ACL = full control for current user which is
administrator
- run "ntop.exe /c -t 5 -M -n -i 0,1,2" from the command line, let it run a
while, without doing anything (not using the web interface for example) ;
- after less than 30 seconds, you get this :
16/Feb/2004 21:15:06 [MSGID00706-rrdplugin] **WARNING** RRD:
rrd_update(C:\Program Files\ntop-Win32\rrd\interfaces\D-Link DFE-530TX
PCI Fast EthernetAdapter\knownHostsNum.rrd) error: illegal attempt to
update using time 1076966092 when last update time is 1076966092
(minimum one second step)
16/Feb/2004 21:15:06 [MSGID00707-rrdplugin] RRD: call stack (counter
created: 0):
16/Feb/2004 21:15:06 [MSGID00709-rrdplugin] RRD: argv[0]: rrd_update
16/Feb/2004 21:15:06 [MSGID00709-rrdplugin] RRD: argv[1]: C:\Program
Files\ntop-Win32\rrd\interfaces\D-Link DFE-530TX PCI Fast Ethernet
Adapter\knownHostsNum.rrd
16/Feb/2004 21:15:06 [MSGID00709-rrdplugin] RRD: argv[2]: 1076966092:u
- you also get a dbgheap.c/line 1011 message box debug assertion failed,
expression _CrtIsValidHeapPointer(pUserData)
3.2/ Test case #2 - CRASH
- same as #1 but ntop is running as a windows service
- same results.
3.3/ Test case #3 - CRASH
- same as #1 but try different options (no -M, no -t, ...)
- same results.
3.4/ Test case #4 - CRASH
- same as #1
- look at the web interface : you get only ONE D-Link NIC
- and shortly, ntop crashes.
3.5/ Test case #5 - NO CRASH
- same as #1 but omit one of the two first NICs (both are D-Link, exact same
model)
- it runs smoothly ...
4/ My analysis
======================================================
First approach : Obviously, ntop seems to crash when sniffing (at least ?) tws
NICs from the exact same model.
Looking at the code in initialize.c/initDevices(), from line #1079 (/* Sanitize
the interface name */), ntop does some sanitizing on the NIC
name.
Windows describes our 2 D-Link NICs as (from a Windows point of view, this is
not the name, but the device name, wich is used by Ntop)
"D-Link DFE-530TX PCI Fast Ethernet Adapter (Rev A) #2
and "D-Link DFE-530TX PCI Fast Ethernet Adapter (Rev A)"
When going to initDevices():1079, those two device names end up to the same
string : "D-Link DFE-530TX PCI Fast Ethernet Adapter".
This seems to be the root cause of the problem because there is only one subdir
named "D-Link DFE-530TX PCI Fast Ethernet Adapter" in "...\ntop-Win32
\rrd\interfaces", even when trying to sniff all the NICs. So rrdPlugin.c ends
up trying to update the same files for two different NICs (our D-Link) : when
there is traffic on both of them in the same 1 second intervall, someting goes
wrong...
5/ Help needed
======================================================
I don't know enough on ntop + pcap internals to patch this bug by myself
without taking the risk to break something deep inside the code.
And - most important - we do not want to use a "home made" version of ntop : we
wish to stay in sync with the official releases (this is why we paid for ntop
to support its development / developers - proof of buying can be given if
necessary).
So, from there, any help would be greatly appreciated. We are ready to test an
interim patched release on our box if this can help.
Thank you for reading 'till here :-)
Erik PROST - ORPHEUS
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
