Stefano please provide some logs of the instance that is dropping traffic Luca
On 14 Jan 2014, at 16:14, Stefano Bianchi <[email protected]> wrote: > Hi there, > > i'm facing a strange issue wih the nprobe & ntopng architecture. > i'm testing an environment where 2 nprobe systems (using the same nprobe > distribution) feed one single ntopng system. > > one of the 2 nprobe is working fine, i must start without the -G flag > otherwire it stop to generate flowsin zmq & local db after some times. > the second one is not working fine, it start to listend and generate flows, > but after a while (10 or 15 seconds) it stop to generate anything and the > statistics (-b 1) tell me i is dropping whole traffic. > the big difference could be in the host machine (no one could be the same > than the other) and the troughtput, the second one is listening at 80Mbit/s > the other one (the working one mean) is listeing 7 to 14 Mbit/s of traffic. > > can you help ? > > /stefano > > > Il 20/12/2013 16:34, Yuri Francalacci ha scritto: >> check with netstat if port 5556 is in "LISTEN" and if ntopng can connect to >> this host/port (firewall issue?)(if you are running apps on different >> machine). >> Yuri >> ############################################### >> Yuri Francalacci - [email protected] <mailto:[email protected]> - >> http://www.ntop.org <http://www.ntop.org/> >> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >> ############################################### >> >> On Dec 20, 2013, at 10:21 AM, Stefano Bianchi wrote: >> >>> Yuri, >>> >>> please also have a view to nprobe startup >>> >>> >>> 20/Dec/2013 10:13:55 [plugin.c:161] No plugins found in ./plugins >>> 20/Dec/2013 10:13:55 [plugin.c:168] Loading plugins [.so] from >>> /usr/local/lib/nprobe/plugins >>> 20/Dec/2013 10:13:55 [nprobe.c:3620] Succesfully created zmq endpoint >>> tcp://10.10.10.10:5556 >>> 20/Dec/2013 10:13:55 [nprobe.c:3835] Welcome to nprobe v.6.15.131219 >>> ($Revision: 3745 $) for x86_64-unknown-linux-gnu with native PF_RING >>> acceleration >>> 20/Dec/2013 10:13:55 [nprobe.c:3901] WARNING: -n parameter is missing. >>> 127.0.0.1:2055 will be used. >>> 20/Dec/2013 10:13:55 [dbPlugin.c:78] Initializing DB plugin >>> 20/Dec/2013 10:13:55 [dbPlugin.c:136] Attempting to connect to database as >>> [host: localhost][dbname: nprobe][table prefix: l][user: nprobe][pwd: >>> xxxxxx] >>> 20/Dec/2013 10:13:55 [database.c:92] MySQL initialized >>> 20/Dec/2013 10:13:55 [database.c:112] Successfully connected to MySQL >>> [host:dbname:user:passwd]=[localhost@0:nprobe:nprobe:xxxxxx] >>> 20/Dec/2013 10:13:55 [nprobe.c:5710] Welcome to nprobe v.6.15.131219 for >>> x86_64-unknown-linux-gnu >>> 20/Dec/2013 10:13:55 [nprobe.c:4984] Using NetFlow Packet Payload Len: 1472 >>> 20/Dec/2013 10:13:55 [plugin.c:872] 0 plugin(s) enabled >>> 20/Dec/2013 10:13:55 [database.c:217] Creating database schema... >>> 20/Dec/2013 10:13:55 [nprobe.c:5359] Each flow is 187 bytes long >>> 20/Dec/2013 10:13:55 [nprobe.c:5360] The # packets per flow has been set to >>> 6 >>> 20/Dec/2013 10:13:55 [util.c:310] WARNING: Unable to load AS file >>> /usr/local/nprobe/GeoIPASNum.dat. AS support disabled >>> 20/Dec/2013 10:13:55 [util.c:319] WARNING: Unable to load AS IPv6 file >>> /usr/local/nprobe/GeoIPASNumv6.dat. AS IPv6 support disabled >>> 20/Dec/2013 10:13:55 [nprobe.c:4356] Using packet capture length 1600 >>> 20/Dec/2013 10:13:55 [pro/pf_ring.c:325] Using PF_RING in-kernel >>> accelerated packet parsing >>> 20/Dec/2013 10:13:55 [pro/pf_ring.c:329] Dumping traffic statistics on >>> /proc/net/pf_ring/stats/17330-eth2.36 >>> 20/Dec/2013 10:13:55 [nprobe.c:5932] Flows ASs will not be computed >>> >>> ciao >>> >>> >>> Il 20/12/2013 10:18, Stefano Bianchi ha scritto: >>>> Yuri, >>>> >>>> thank for replay but i alredy have the " around the param. >>>> this is my startup script >>>> >>>> NOMESONDA="PROBE1" >>>> PIDFILE="/var/tmp/nprobe.pid" >>>> ZMQ_SOCKET="tcp://*:5556" >>>> SNIF_IFACE="eth2" >>>> DB_HOST="localhost" >>>> DB_SCHEMA="nprobe" >>>> DB_TABPREFIX="l" >>>> DB_USER="nprobe" >>>> DB_PASSWORD="pass" >>>> PROTOS="/tmp/protos.txt" >>>> TEMPLATEFILE="/tmp/capture_template.txt" >>>> FILTERINFILE="$NOMESONDA+captfilter.txt" >>>> FILTERFILE="/tmp/captfilter.txt" >>>> BINPATH="/usr/local/bin" >>>> >>>> case "$1" in >>>> start) >>>> echo "Starting nprobe" >>>> <snip> >>>> TEMPLATE=$(cat "$TEMPLATEFILE") >>>> FILTER=$(cat "$FILTERFILE") >>>> if [ ! -f /tmp/nprobe.norun ]; then >>>> >>>> $BINPATH/nprobe -i $SNIF_IFACE -Q 1 -u 1 -G --lifetime-timeout 600 >>>> --idle-timeout 60 --queue-timeout 60\ >>>> -g "$PIDFILE" --ndpi-proto-ports $PROTOS \ >>>> -T "$TEMPLATE" -f "$FILTER" \ >>>> --zmq "$ZMQ_SOCKET" >>>> "--mysql=$DB_HOST:$DB_SCHEMA:$DB_TABPREFIX:$DB_USER:$DB_PASSWORD" > >>>> /var/log/nprobe >>>> >>>> >>>> But even i bind the zmq socket to real ip >>>> (ZMQ_SOCKET="tcp://10.10.10:5556") nothing change, the zmq_pool timeout >>>> each second without fetching data ( i added a log of zmq_poll timeout). >>>> >>>> ciao >>>> >>>> Il 19/12/2013 17:56, Yuri Francalacci ha scritto: >>>>> if you do not use " " in zmq address, the shell will expand the *. >>>>> Try enclosing the zmq address in " ". >>>>> Yuri >>>>> On 19/dic/2013, at 16:18, Stefano Bianchi <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>>> Hi, >>>>>> i had just finish to set up a complete environment with a server is >>>>>> sniffing the traffic with nprobe (last version) and another one is >>>>>> trying to fetch the traffic from the originating machine. >>>>>> >>>>>> i see zmq conversation set up but i fail to receive any traffic and >>>>>> ntopng interface loop on "No packet has been received yet on interface >>>>>> [email protected]:5556. >>>>>> >>>>>> Start options: >>>>>> nprobe >>>>>> /usr/local/bin/nprobe -i eth2 -Q 1 -u 1 -G --lifetime-timeout 600 >>>>>> --idle-timeout 60 --queue-timeout 60 -g /var/tmp/nprobe.pid >>>>>> --ndpi-proto-ports /tmp/protos.txt -T %IN_SRC_MAC %OUT_DST_MAC >>>>>> %IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES >>>>>> %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED %LAST_SWITCHED >>>>>> %TCP_FLAGS %SRC_TOS %L7_PROTO %L7_PROTO_NAME %IPV4_SRC_MASK >>>>>> %IPV4_DST_MASK %FLOWS %FRAGMENTS %CLIENT_NW_DELAY_SEC >>>>>> %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC >>>>>> %APPL_LATENCY_SEC %APPL_LATENCY_USEC %NUM_PKTS_UP_TO_128_BYTES >>>>>> %NUM_PKTS_128_TO_256_BYTES %NUM_PKTS_256_TO_512_BYTES >>>>>> %NUM_PKTS_512_TO_1024_BYTES %NUM_PKTS_1024_TO_1514_BYTES >>>>>> %NUM_PKTS_OVER_1514_BYTES %FLOW_PROTO_PORT %LONGEST_FLOW_PKT >>>>>> %SHORTEST_FLOW_PKT %RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS >>>>>> %OOORDER_IN_PKTS %OOORDER_OUT_PKTS %IPV4_NEXT_HOP --zmq tcp://*:5556 >>>>>> --mysql=localhost:nprobe:l:nprobe:pass >>>>>> >>>>>> ntopng >>>>>> ./ntopng -i tcp://10.10.10.10:5556 >>>>>> >>>>>> I had confirm about flow are captured by the nprobe as they are also >>>>>> stored in the local database, and i see the zmq session startup via >>>>>> tcpdump, but no no more data are exchanged after the first 5 or 6 pck. >>>>>> how i can find why zmq is not working ? >>>>>> >>>>>> thanks in advance >>>>>> >>>>>> Stefano >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> ############################################### >>>>> Yuri Francalacci - [email protected] <mailto:[email protected]> - >>>>> http://www.ntop.org >>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>> ############################################### >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
