Hi,
sorry for delayed replay, but holidays bring me far from my pc.
i run some investigation and in my installation i found nprobe don't
send any data if it is demonized .
if I don't use the -G flag (demonize) nearly every thing is working (i
say near because there are some strange issue in --ndpi-proto-ports
resolution it is partially ok for me).
j had recompiled by scratch nprobe and erased the old library to verify
if there was any problem during first installation, but problem still
present.
any suggestion where i could investigate ?
/stefano
Il 20/12/2013 16:34, Yuri Francalacci ha scritto:
check with netstat if port 5556 is in "LISTEN" and if ntopng can
connect to this host/port (firewall issue?)(if you are running apps on
different machine).
Yuri
###############################################
Yuri Francalacci - [email protected] <mailto:[email protected]> -
http://www.ntop.org <http://www.ntop.org/>
"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################
On Dec 20, 2013, at 10:21 AM, Stefano Bianchi wrote:
Yuri,
please also have a view to nprobe startup
20/Dec/2013 10:13:55 [plugin.c:161] No plugins found in ./plugins
20/Dec/2013 10:13:55 [plugin.c:168] Loading plugins [.so] from
/usr/local/lib/nprobe/plugins
20/Dec/2013 10:13:55 [nprobe.c:3620] Succesfully created zmq endpoint
tcp://10.10.10.10:5556
20/Dec/2013 10:13:55 [nprobe.c:3835] Welcome to nprobe v.6.15.131219
($Revision: 3745 $) for x86_64-unknown-linux-gnu with native PF_RING
acceleration
20/Dec/2013 10:13:55 [nprobe.c:3901] WARNING: -n parameter is
missing. 127.0.0.1:2055 will be used.
20/Dec/2013 10:13:55 [dbPlugin.c:78] Initializing DB plugin
20/Dec/2013 10:13:55 [dbPlugin.c:136] Attempting to connect to
database as [host: localhost][dbname: nprobe][table prefix: l][user:
nprobe][pwd: xxxxxx]
20/Dec/2013 10:13:55 [database.c:92] MySQL initialized
20/Dec/2013 10:13:55 [database.c:112] Successfully connected to MySQL
[host:dbname:user:passwd]=[localhost@0:nprobe:nprobe:xxxxxx]
20/Dec/2013 10:13:55 [nprobe.c:5710] Welcome to nprobe v.6.15.131219
for x86_64-unknown-linux-gnu
20/Dec/2013 10:13:55 [nprobe.c:4984] Using NetFlow Packet Payload
Len: 1472
20/Dec/2013 10:13:55 [plugin.c:872] 0 plugin(s) enabled
20/Dec/2013 10:13:55 [database.c:217] Creating database schema...
20/Dec/2013 10:13:55 [nprobe.c:5359] Each flow is 187 bytes long
20/Dec/2013 10:13:55 [nprobe.c:5360] The # packets per flow has been
set to 6
20/Dec/2013 10:13:55 [util.c:310] WARNING: Unable to load AS file
/usr/local/nprobe/GeoIPASNum.dat. AS support disabled
20/Dec/2013 10:13:55 [util.c:319] WARNING: Unable to load AS IPv6
file /usr/local/nprobe/GeoIPASNumv6.dat. AS IPv6 support disabled
20/Dec/2013 10:13:55 [nprobe.c:4356] Using packet capture length 1600
20/Dec/2013 10:13:55 [pro/pf_ring.c:325] Using PF_RING in-kernel
accelerated packet parsing
20/Dec/2013 10:13:55 [pro/pf_ring.c:329] Dumping traffic statistics
on /proc/net/pf_ring/stats/17330-eth2.36
20/Dec/2013 10:13:55 [nprobe.c:5932] Flows ASs will not be computed
ciao
Il 20/12/2013 10:18, Stefano Bianchi ha scritto:
Yuri,
thank for replay but i alredy have the " around the param.
this is my startup script
NOMESONDA="PROBE1"
PIDFILE="/var/tmp/nprobe.pid"
ZMQ_SOCKET="tcp://*:5556"
SNIF_IFACE="eth2"
DB_HOST="localhost"
DB_SCHEMA="nprobe"
DB_TABPREFIX="l"
DB_USER="nprobe"
DB_PASSWORD="pass"
PROTOS="/tmp/protos.txt"
TEMPLATEFILE="/tmp/capture_template.txt"
FILTERINFILE="$NOMESONDA+captfilter.txt"
FILTERFILE="/tmp/captfilter.txt"
BINPATH="/usr/local/bin"
case "$1" in
start)
echo "Starting nprobe"
<snip>
TEMPLATE=$(cat "$TEMPLATEFILE")
FILTER=$(cat "$FILTERFILE")
if [ ! -f /tmp/nprobe.norun ]; then
$BINPATH/nprobe -i $SNIF_IFACE -Q 1 -u 1 -G --lifetime-timeout
600 --idle-timeout 60 --queue-timeout 60\
-g "$PIDFILE" --ndpi-proto-ports $PROTOS \
-T "$TEMPLATE" -f "$FILTER" \
--zmq "$ZMQ_SOCKET"
"--mysql=$DB_HOST:$DB_SCHEMA:$DB_TABPREFIX:$DB_USER:$DB_PASSWORD" >
/var/log/nprobe
But even i bind the zmq socket to real ip
(ZMQ_SOCKET="tcp://10.10.10:5556") nothing change, the zmq_pool
timeout each second without fetching data ( i added a log of
zmq_poll timeout).
ciao
Il 19/12/2013 17:56, Yuri Francalacci ha scritto:
if you do not use " " in zmq address, the shell will expand the *.
Try enclosing the zmq address in " ".
Yuri
On 19/dic/2013, at 16:18, Stefano Bianchi
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
i had just finish to set up a complete environment with a server
is sniffing the traffic with nprobe (last version) and another one
is trying to fetch the traffic from the originating machine.
i see zmq conversation set up but i fail to receive any traffic
and ntopng interface loop on "No packet has been received yet on
interface [email protected]:5556.
Start options:
nprobe
/usr/local/bin/nprobe -i eth2 -Q 1 -u 1 -G --lifetime-timeout 600
--idle-timeout 60 --queue-timeout 60 -g /var/tmp/nprobe.pid
--ndpi-proto-ports /tmp/protos.txt -T %IN_SRC_MAC %OUT_DST_MAC
%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %OUT_PKTS
%OUT_BYTES %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED
%LAST_SWITCHED %TCP_FLAGS %SRC_TOS %L7_PROTO %L7_PROTO_NAME
%IPV4_SRC_MASK %IPV4_DST_MASK %FLOWS %FRAGMENTS
%CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC
%SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC
%NUM_PKTS_UP_TO_128_BYTES %NUM_PKTS_128_TO_256_BYTES
%NUM_PKTS_256_TO_512_BYTES %NUM_PKTS_512_TO_1024_BYTES
%NUM_PKTS_1024_TO_1514_BYTES %NUM_PKTS_OVER_1514_BYTES
%FLOW_PROTO_PORT %LONGEST_FLOW_PKT %SHORTEST_FLOW_PKT
%RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS %OOORDER_IN_PKTS
%OOORDER_OUT_PKTS %IPV4_NEXT_HOP --zmq tcp://*:5556
--mysql=localhost:nprobe:l:nprobe:pass
ntopng
./ntopng -i tcp://10.10.10.10:5556
I had confirm about flow are captured by the nprobe as they are
also stored in the local database, and i see the zmq session
startup via tcpdump, but no no more data are exchanged after the
first 5 or 6 pck.
how i can find why zmq is not working ?
thanks in advance
Stefano
_______________________________________________
Ntop-misc mailing list
[email protected] <mailto:[email protected]>
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
###############################################
Yuri Francalacci - [email protected] <mailto:[email protected]> -
http://www.ntop.org
"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
