Re: [Ntop-misc] nprobe + ntopng

Tue, 14 Jan 2014 07:17:33 -0800 

Hi there,

i'm facing a strange issue wih the nprobe & ntopng architecture.
i'm testing an environment where 2 nprobe systems (using the same nprobe distribution) feed one single ntopng system. 


one of the 2 nprobe is working fine, i must start without the -G flag 
otherwire it stop to generate flowsin zmq & local db after some times.
the second one is not working fine, it start to listend and generate 
flows, but after a while (10 or 15 seconds) it stop to generate anything 
and the statistics (-b 1) tell me i is dropping whole traffic.
the big difference could be in the host machine (no one could be the 
same than the other) and the troughtput, the second one is listening at 
80Mbit/s the other one (the working one  mean) is listeing 7 to 14 
Mbit/s of traffic.


can you help ?

/stefano


Il 20/12/2013 16:34, Yuri Francalacci ha scritto:

check with netstat if port 5556 is in "LISTEN" and if ntopng can 
connect to this host/port (firewall issue?)(if you are running apps on 
different machine).

Yuri
###############################################

Yuri Francalacci   - [email protected] <mailto:[email protected]>   - 
http://www.ntop.org <http://www.ntop.org/>

"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################

On Dec 20, 2013, at 10:21 AM, Stefano Bianchi wrote:


Yuri,

please also have a view to nprobe startup


20/Dec/2013 10:13:55 [plugin.c:161] No plugins found in ./plugins

20/Dec/2013 10:13:55 [plugin.c:168] Loading plugins [.so] from 
/usr/local/lib/nprobe/plugins
20/Dec/2013 10:13:55 [nprobe.c:3620] Succesfully created zmq endpoint 
tcp://10.10.10.10:5556
20/Dec/2013 10:13:55 [nprobe.c:3835] Welcome to nprobe v.6.15.131219 
($Revision: 3745 $) for x86_64-unknown-linux-gnu with native PF_RING 
acceleration
20/Dec/2013 10:13:55 [nprobe.c:3901] WARNING: -n parameter is 
missing. 127.0.0.1:2055 will be used.

20/Dec/2013 10:13:55 [dbPlugin.c:78] Initializing DB plugin

20/Dec/2013 10:13:55 [dbPlugin.c:136] Attempting to connect to 
database as [host: localhost][dbname: nprobe][table prefix: l][user: 
nprobe][pwd: xxxxxx]

20/Dec/2013 10:13:55 [database.c:92] MySQL initialized

20/Dec/2013 10:13:55 [database.c:112] Successfully connected to MySQL 
[host:dbname:user:passwd]=[localhost@0:nprobe:nprobe:xxxxxx]
20/Dec/2013 10:13:55 [nprobe.c:5710] Welcome to nprobe v.6.15.131219 
for x86_64-unknown-linux-gnu
20/Dec/2013 10:13:55 [nprobe.c:4984] Using NetFlow Packet Payload 
Len: 1472

20/Dec/2013 10:13:55 [plugin.c:872] 0 plugin(s) enabled
20/Dec/2013 10:13:55 [database.c:217] Creating database schema...
20/Dec/2013 10:13:55 [nprobe.c:5359] Each flow is 187 bytes long

20/Dec/2013 10:13:55 [nprobe.c:5360] The # packets per flow has been 
set to 6
20/Dec/2013 10:13:55 [util.c:310] WARNING: Unable to load AS file 
/usr/local/nprobe/GeoIPASNum.dat. AS support disabled
20/Dec/2013 10:13:55 [util.c:319] WARNING: Unable to load AS IPv6 
file /usr/local/nprobe/GeoIPASNumv6.dat. AS IPv6 support disabled

20/Dec/2013 10:13:55 [nprobe.c:4356] Using packet capture length 1600

20/Dec/2013 10:13:55 [pro/pf_ring.c:325] Using PF_RING in-kernel 
accelerated packet parsing
20/Dec/2013 10:13:55 [pro/pf_ring.c:329] Dumping traffic statistics 
on /proc/net/pf_ring/stats/17330-eth2.36

20/Dec/2013 10:13:55 [nprobe.c:5932] Flows ASs will not be computed

ciao


Il 20/12/2013 10:18, Stefano Bianchi ha scritto:

Yuri,

thank for replay but i alredy have the " around the param.
this is my startup script

NOMESONDA="PROBE1"
PIDFILE="/var/tmp/nprobe.pid"
ZMQ_SOCKET="tcp://*:5556"
SNIF_IFACE="eth2"
DB_HOST="localhost"
DB_SCHEMA="nprobe"
DB_TABPREFIX="l"
DB_USER="nprobe"
DB_PASSWORD="pass"
PROTOS="/tmp/protos.txt"
TEMPLATEFILE="/tmp/capture_template.txt"
FILTERINFILE="$NOMESONDA+captfilter.txt"
FILTERFILE="/tmp/captfilter.txt"
BINPATH="/usr/local/bin"

case "$1" in
start)
 echo "Starting nprobe"
<snip>
   TEMPLATE=$(cat "$TEMPLATEFILE")
   FILTER=$(cat "$FILTERFILE")
   if [ ! -f /tmp/nprobe.norun ]; then


   $BINPATH/nprobe -i $SNIF_IFACE -Q 1 -u 1 -G --lifetime-timeout 
600 --idle-timeout 60 --queue-timeout 60\

   -g "$PIDFILE"  --ndpi-proto-ports $PROTOS \
   -T "$TEMPLATE" -f "$FILTER" \

   --zmq "$ZMQ_SOCKET" 
"--mysql=$DB_HOST:$DB_SCHEMA:$DB_TABPREFIX:$DB_USER:$DB_PASSWORD" > 
/var/log/nprobe




But even i bind the zmq socket to real ip 
(ZMQ_SOCKET="tcp://10.10.10:5556") nothing change, the zmq_pool 
timeout each second without fetching data ( i added a log of 
zmq_poll timeout).


ciao

Il 19/12/2013 17:56, Yuri Francalacci ha scritto:

if you do not use " " in zmq address, the shell will expand the *.
Try enclosing the zmq address in " ".
Yuri

On 19/dic/2013, at 16:18, Stefano Bianchi 
<[email protected] 
<mailto:[email protected]>> wrote:



Hi,

i had just finish to set up a complete environment with a server 
is sniffing the traffic with nprobe (last version) and another one 
is trying to fetch the traffic from the originating machine.



i see zmq conversation set up but i fail to receive any traffic 
and ntopng interface loop on "No packet has been received yet on 
interface [email protected]:5556.


Start options:
nprobe

/usr/local/bin/nprobe -i eth2 -Q 1 -u 1 -G --lifetime-timeout 600 
--idle-timeout 60 --queue-timeout 60 -g /var/tmp/nprobe.pid 
--ndpi-proto-ports /tmp/protos.txt -T %IN_SRC_MAC %OUT_DST_MAC 
%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %OUT_PKTS 
%OUT_BYTES %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED 
%LAST_SWITCHED  %TCP_FLAGS %SRC_TOS %L7_PROTO %L7_PROTO_NAME 
%IPV4_SRC_MASK %IPV4_DST_MASK %FLOWS %FRAGMENTS 
%CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC 
%SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC 
%NUM_PKTS_UP_TO_128_BYTES %NUM_PKTS_128_TO_256_BYTES 
%NUM_PKTS_256_TO_512_BYTES %NUM_PKTS_512_TO_1024_BYTES 
%NUM_PKTS_1024_TO_1514_BYTES %NUM_PKTS_OVER_1514_BYTES 
%FLOW_PROTO_PORT %LONGEST_FLOW_PKT %SHORTEST_FLOW_PKT 
%RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS %OOORDER_IN_PKTS 
%OOORDER_OUT_PKTS %IPV4_NEXT_HOP --zmq tcp://*:5556 
--mysql=localhost:nprobe:l:nprobe:pass


ntopng
./ntopng -i tcp://10.10.10.10:5556


I had confirm about flow are captured by the nprobe as they are 
also stored in the local database, and i see the zmq session 
startup via tcpdump, but no no more data are exchanged after the 
first 5 or 6 pck.

how i can find why zmq is not working ?

thanks in advance

Stefano
_______________________________________________
Ntop-misc mailing list
[email protected] <mailto:[email protected]>
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

###############################################

Yuri Francalacci   - [email protected] <mailto:[email protected]>   - 
http://www.ntop.org

"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################












_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc






















					Reply via email to