[Ntop-misc] Tunnel option applied only for 25% of packets

Thu, 17 Dec 2015 06:22:55 -0800 

Hello,
I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an issue with nprobe and L2TP tunnelled traffic. Here is the command I launch : 


[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr 
-T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR 
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK 
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 
--tunnel


I'd expect to get records like
"122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|000054B5|0000B5AB|
117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|00006304|0000BB56|
"

I get some of them, but most of my records are not correctly 
decapsulated and I usually get records like that :


52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|00000000|00000000|
52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|00000000|00000000|


As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. 
However, I neither get the tunneled IP address or the tunnel 
informations (I obfuscated IP informations, replacing them with 
IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.



I am pretty sure the problem comes from the decapsulation and it's not a 
false positive as if it was, src port and dest port would be 1701.



When I try to use it in debug mode I get a segfault (which I don't get 
without the --tunnel option) :



[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr 
-T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR 
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK 
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR" -V 
9 --smart-udp-frags -N 0 --debug --tunnel
17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license 
(/etc/nprobe.license) [Missing license file]
17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR: 
*****************************************************
17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: **                           
                      **
17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: **  Switching to DEMO MODE 
(missing valid license) **
17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: **                           
                      **
17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: **  Create your nProbe 
license at                  **
17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **       
http://www.nmon.net/mklicense/            **
17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: **                           
                      **
17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR: 
*****************************************************
17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR: 
***************************************************************
17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO 
version limited to 25000 flows export.  *
17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR: 
***************************************************************

17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins

17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from 
/usr/local/lib/nprobe/plugins

datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084445
sysUpTime 2429093100
samplesInPacket 4
startSample ----------------------
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 187645
sourceId 0:1
counterBlock_tag 2176:0
skipping unknown counters_sample_element: 2176:0 len=0
counterBlock_tag 568615:598
skipping unknown counters_sample_element: 568615:598 len=0
endSample   ----------------------
unexpected end of datagram after sample 1 of 4
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084446
sysUpTime 2429093100
samplesInPacket 10
startSample ----------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 11443
sourceId 0:2
meanSkipCount 50
samplePool 8912896
dropEvents 0
inputPort multiple 181563990
outputPort 0
flowBlock_tag 0:0
skipping unknown flow_sample_element: 0:0 len=-2147483648
Segmentation fault


When I compare with what I get in a pcap, I can see that in my pcap file 
I almost don't get any packet



Is there a performance issue (it doesn't seem so, CPU stays low) ? Is 
there a fix somewhere, or did I miss something ?


Thank you very much,
Regards,
Grégoire
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc





















					Reply via email to