Re: [Ntop-misc] Tunnel option applied only for 25% of packets

Fri, 18 Dec 2015 08:47:34 -0800 

Hi Luca,
Thank you for your answer, I indeed have created the issue : https://github.com/ntop/nProbe/issues/18 

Thank you,
Regards,
Grégoire Leroy

Le 2015-12-17 16:28, Luca Deri a écrit :

Hi Gregoire,
please file a bug on https://github.com/ntop/nProbe [2] and attach a
pcap file for reproducing it

Regards Luca


On 17 Dec 2015, at 15:21, [email protected] wrote:

Hello,

I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an
issue with nprobe and L2TP tunnelled traffic. Here is the command I
launch :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I
sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N
0 --tunnel

I'd expect to get records like
"122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|000054B5|0000B5AB|
117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|00006304|0000BB56|
"
I get some of them, but most of my records are not correctly
decapsulated and I usually get records like that :

52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|00000000|00000000|
52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|00000000|00000000|

As you can see, L4_SRC_PORT and L4_DST_PORT are correctly
decapsulated. However, I neither get the tunneled IP address or the
tunnel informations (I obfuscated IP informations, replacing them
with IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.

I am pretty sure the problem comes from the decapsulation and it's
not a false positive as if it was, src port and dest port would be
1701.

When I try to use it in debug mode I get a segfault (which I don't
get without the --tunnel option) :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I
sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR"
-V 9 --smart-udp-frags -N 0 --debug --tunnel
17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license
(/etc/nprobe.license) [Missing license file]
17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR:
*****************************************************
17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: ** Switching to DEMO
MODE (missing valid license) **
17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: ** Create your nProbe
license at **
17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **
http://www.nmon.net/mklicense/ [1] **
17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR:
*****************************************************
17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR:
***************************************************************
17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO
version limited to 25000 flows export. *
17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR:
***************************************************************
17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins
17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from
/usr/local/lib/nprobe/plugins
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084445
sysUpTime 2429093100
samplesInPacket 4
startSample ----------------------
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 187645
sourceId 0:1
counterBlock_tag 2176:0
skipping unknown counters_sample_element: 2176:0 len=0
counterBlock_tag 568615:598
skipping unknown counters_sample_element: 568615:598 len=0
endSample ----------------------
unexpected end of datagram after sample 1 of 4
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084446
sysUpTime 2429093100
samplesInPacket 10
startSample ----------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 11443
sourceId 0:2
meanSkipCount 50
samplePool 8912896
dropEvents 0
inputPort multiple 181563990
outputPort 0
flowBlock_tag 0:0
skipping unknown flow_sample_element: 0:0 len=-2147483648
Segmentation fault

When I compare with what I get in a pcap, I can see that in my pcap
file I almost don't get any packet

Is there a performance issue (it doesn't seem so, CPU stays low) ?
Is there a fix somewhere, or did I miss something ?

Thank you very much,
Regards,
Grégoire
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc




Links:
------
[1] http://www.nmon.net/mklicense/
[2] https://github.com/ntop/nProbe

_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc





















					Reply via email to