You might have to be a bit more specific as to what I am looking for.
Here is an strace of the parent (ie strace ntop -i eth1). The interface I am listening on is not the one I am connected to. I only get action on the thread I am watching when I send traffic out eth1. (ie I am on eth0). Being local on this machine is not an easy thing. However it is dual homed and I definitely see a difference in what you see in strace from the "working" mode without -d or -L and with -d and -L.
recvfrom(5, "\0 [EMAIL PROTECTED]"..., 8232, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x806, if5, pkttype=PACKET_HOST, addr(6)={1, 00901a40dfa8}, [20]) = 60
ioctl(5, SIOCGSTAMP, 0xbe9ffa24) = 0
getpid() = 1782
time(NULL) = 1109319537
getpid() = 1782
time(NULL) = 1109319537
getpid() = 1782
time(NULL) = 1109319537
lseek(7, 13463, SEEK_SET) = 13463
read(7, "1113399297\0dsl093-032-001.snd1.d"..., 84) = 84
time(NULL) = 1109319537
getpid() = 1782
getpid() = 1782
time(NULL) = 1109319537
time(NULL) = 1109319537
getpid() = 1782
time(NULL) = 1109319537
getpid() = 1782
time(NULL) = 1109319537
getpid() = 1782
Here is ntop -d -L. I listen to each thread in turn when I generate data out eth1. I do not get anything like the above showing actual capture taking place. In each case I generated traffic for each strace I ran.
[EMAIL PROTECTED] ~# ps auxw|grep ntop
nobody 1806 78.0 4.8 46308 23348 ? S 00:20 0:03 ntop -i eth1 -d -L
root 1808 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1809 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1810 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1811 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1812 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1813 2.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1815 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1816 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1817 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L
root 1819 0.0 0.1 3652 660 pts/0 S 00:20 0:00 grep ntop
[EMAIL PROTECTED] ~# strace -p 1817
Process 1817 attached - interrupt to quit
Process 1817 detached
[EMAIL PROTECTED] ~# strace -p 1816
Process 1816 attached - interrupt to quit
rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
nanosleep({298, 0}, <unfinished ...>
Process 1816 detached
[EMAIL PROTECTED] ~# strace -p 1815
Process 1815 attached - interrupt to quit
select(12, [11], NULL, NULL, NULL <unfinished ...>
Process 1815 detached
[EMAIL PROTECTED] ~# strace -p 1813
Process 1813 attached - interrupt to quit
Process 1813 detached
[EMAIL PROTECTED] ~# strace -p 1812
Process 1812 attached - interrupt to quit
Process 1812 detached
[EMAIL PROTECTED] ~# strace -p 1811
Process 1811 attached - interrupt to quit
rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
nanosleep({3, 0}, {3, 0}) = 0
rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0
time(NULL) = 1109319673
time(NULL) = 1109319673
gettimeofday({1109319673, 709212}, NULL) = 0
getpid() = 1811
time(NULL) = 1109319673
time(NULL) = 1109319673
getpid() = 1811
getpid() = 1811
time(NULL) = 1109319673
getpid() = 1811
time(NULL) = 1109319673
time(NULL) = 1109319673
getpid() = 1811
time(NULL) = 1109319673
getpid() = 1811
gettimeofday({1109319673, 717618}, NULL) = 0
getpid() = 1811
time(NULL) = 1109319673
time(NULL) = 1109319673
getpid() = 1811
sched_yield() = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
nanosleep({60, 0}, <unfinished ...>
Process 1811 detached
[EMAIL PROTECTED] ~# strace -p 1810
Process 1810 attached - interrupt to quit
rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
nanosleep({72, 0}, <unfinished ...>
Process 1810 detached
[EMAIL PROTECTED] ~# strace -p 1809
Process 1809 attached - interrupt to quit
Process 1809 detached
[EMAIL PROTECTED] ~# strace -p 1808
Process 1808 attached - interrupt to quit
getppid() = 1806
poll([{fd=0, events=POLLIN}], 1, 2000) = 0
getppid() = 1806
poll([{fd=0, events=POLLIN}], 1, 2000) = 0
getppid() = 1806
poll([{fd=0, events=POLLIN}], 1, 2000) = 0
getppid() = 1806
poll( <unfinished ...>
Process 1808 detached
[EMAIL PROTECTED] ~# strace -p 1806
Process 1806 attached - interrupt to quit
Process 1806 detached
[EMAIL PROTECTED] ~#
It just seems like ntop is refusing to actually capture packets when -d or -L is used. This despite the fact that ntop is putting the interface in question into promiscuous mode.
Is there something that does not happen in -d or -L modes? How does the code path differ?
Also this is with a brand new copy of ntop, freshly built from cvs checkout of ntop using the following procedure.
./configure make make install
Please let me know if there is any other information I can provide.
Terrence
Burton Strauss wrote:
Console logs are useless - too much else happens.
The version check is a separate thread, async because it can take a while to respond. Still, you can try turning it off...
When it seems to be hanging, you might try attaching w/ strace. You'll need to figure the thread->pid process and use -p on each of them. Don't do this remotely - all the telnet/ssh packets swamp any other effect.
-----Burton
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terrence Martin Sent: Thursday, February 24, 2005 2:09 PM To: [email protected] Subject: Re: [Ntop] ntop will not capture packets when options used
First, I found the archives link. I also noted that someone else posted a similar problem, but no resolution.
Here is some more information. Here is the console output when running ntop without options from the command line.
Thu Feb 24 12:14:00 2005 Initializing gdbm databases Thu Feb 24 12:14:00
2005 ntop will be started as user nobody Thu Feb 24 12:14:00 2005 ntop
v.3.1 (Dag Apt RPM Repository) MT Thu Feb 24 12:14:00 2005 Configured on
Feb 23 2005 18:02:38, built on Feb 23 2005 18:05:22.
Thu Feb 24 12:14:00 2005 Copyright 1998-2004 by Luca Deri <[EMAIL PROTECTED]>
Thu Feb 24 12:14:00 2005 Get the freshest ntop from http://www.ntop.org/
Thu Feb 24 12:14:00 2005 Initializing ntop Thu Feb 24 12:14:00 2005
Checking eth0 for additional devices Thu Feb 24 12:14:00 2005 Resetting
traffic statistics for device eth0 Thu Feb 24 12:14:00 2005 DLT: Device 0
[eth0] is 1, mtu 1514, header 14 Thu Feb 24 12:14:00 2005 Initializing gdbm
databases Thu Feb 24 12:14:00 2005 VENDOR: Loading MAC address table.
Thu Feb 24 12:14:00 2005 VENDOR: Checking for MAC address table file Thu
Feb 24 12:14:00 2005 VENDOR: File '/etc/ntop/specialMAC.txt.gz' does not need to be reloaded
Thu Feb 24 12:14:00 2005 VENDOR: ntop continues ok Thu Feb 24 12:14:00 2005
VENDOR: Checking for MAC address table file Thu Feb 24 12:14:00 2005
VENDOR: File '/etc/ntop/oui.txt.gz' does not need to be reloaded Thu Feb 24
12:14:00 2005 VENDOR: ntop continues ok Thu Feb 24 12:14:00 2005
Fingeprint: Loading signature file.
Thu Feb 24 12:14:01 2005 Fingeprint: ...loaded 1697 records Thu Feb 24
12:14:01 2005 ASN: Checking for Autonomous System Number table file Thu Feb
24 12:14:01 2005 **WARNING** ASN: Unable to open file 'AS-list.txt'
Thu 24 Feb 2005 12:14:01 PM PST I18N: Default language (from ntop host) is
'en_US'
Thu 24 Feb 2005 12:14:01 PM PST I18N: This instance of ntop supports 0
additional language(s) Thu 24 Feb 2005 12:14:01 PM PST IP2CC: Checking for
IP address <-> Country Code mapping file Thu 24 Feb 2005 12:14:01 PM PST
IP2CC: Loading file '/etc/ntop/p2c.opt.table.gz'
Thu 24 Feb 2005 12:14:04 PM PST IP2CC: ...found 52395 lines Thu 24 Feb 2005
12:14:04 PM PST GDVERCHK: Guessing at libgd version Thu 24 Feb 2005
12:14:04 PM PST GDVERCHK: ... as 1.8.4 Thu 24 Feb 2005 12:14:04 PM PST
Initializing external applications Thu 24 Feb 2005 12:14:04 PM PST
THREADMGMT: Packet processor thread running...
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (16386) for
network packet analyser Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT:
Fingerprint scan thread running...
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (32771) for
fingerprinting Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Idle host scan
thread running...
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (49156) for idle
hosts detection Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Address
resolution thread running...
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (65541) for DNS
address resolution Thu 24 Feb 2005 12:14:04 PM PST Calling plugin start
functions (if any) Thu 24 Feb 2005 12:14:04 PM PST CHKVER: Checking current
ntop version at version.ntop.org/version.xml Thu 24 Feb 2005 12:14:04 PM PST
INITWEB: Initializing web server Thu 24 Feb 2005 12:14:04 PM PST INITWEB:
Initializing tcp/ip socket connections for web server Thu 24 Feb 2005
12:14:04 PM PST INITWEB: Initialized socket, port 3000, address (any) Thu
24 Feb 2005 12:14:04 PM PST INITWEB: Waiting for HTTP connections on port
3000 Thu 24 Feb 2005 12:14:04 PM PST INITWEB: Starting web server Thu 24
Feb 2005 12:14:04 PM PST THREADMGMT: web connections thread
(15659) started...
Thu 24 Feb 2005 12:14:04 PM PST Note: SIGPIPE handler set (ignore) Thu 24
Feb 2005 12:14:04 PM PST WEB: ntop's web server is now processing requests
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (98311) for web
server Thu 24 Feb 2005 12:14:04 PM PST Listening on [eth0] Thu 24 Feb 2005
12:14:04 PM PST Loading Plugins Thu 24 Feb 2005 12:14:04 PM PST Searching
for plugins in /usr/lib/ntop/plugins Thu 24 Feb 2005 12:14:04 PM PST
LASTSEEN: Welcome to LastSeenWatchPlugin. (C) 1999 by Andrea Marangoni Thu
24 Feb 2005 12:14:04 PM PST ICMP: Welcome to icmpWatchPlugin. (C)
1999-2004 by Luca Deri
Thu 24 Feb 2005 12:14:04 PM PST NETFLOW: Welcome to NetFlow.(C) 2002-04 by
Luca Deri Thu 24 Feb 2005 12:14:04 PM PST PDA: Welcome to PDAPlugin. (C)
2001-2004 by L.Deri and W.Brock
Thu 24 Feb 2005 12:14:04 PM PST RRD: Welcome to rrdPlugin. (C) 2002-04 by
Luca Deri.
Thu 24 Feb 2005 12:14:04 PM PST SFLOW: Welcome to sFlow.(C) 2002-04 by Luca
Deri Thu 24 Feb 2005 12:14:04 PM PST SNMP: Welcome to snmpPlugin. (C) 2004
by F.Fusco and G.Giardina Thu 24 Feb 2005 12:14:04 PM PST XML: Welcome to
xmldump plugin. (C)
2003-2004 by Burton Strauss
Thu 24 Feb 2005 12:14:04 PM PST Calling plugin start functions (if any) Thu
24 Feb 2005 12:14:04 PM PST RRD: Welcome to the RRD plugin Thu 24 Feb 2005
12:14:04 PM PST RRD: Mask for new directories is 0700 Thu 24 Feb 2005
12:14:04 PM PST RRD: Mask for new files is 0066 Thu 24 Feb 2005 12:14:04 PM
PST THREADMGMT: rrd thread (0) started Thu 24 Feb 2005 12:14:04 PM PST
RRD: Started thread (114696) for data collection.
Thu 24 Feb 2005 12:14:04 PM PST Now running as requested user 'nobody' (99:99)
Thu 24 Feb 2005 12:14:04 PM PST INIT: Created pid file (/var/ntop/ntop.pid)
Thu 24 Feb 2005 12:14:04 PM PST Note: Reporting device initally set to 0
[eth0] (merged) Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT:
pcapDispatch(eth0) thread running...
Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (131081) for
network packet sniffing on eth0 Thu 24 Feb 2005 12:14:06 PM PST CHKVER:
Version file is from 'version.ntop.org'
Thu 24 Feb 2005 12:14:06 PM PST CHKVER: as of date is '2004-12-01T17:00:00'
Thu 24 Feb 2005 12:14:06 PM PST CHKVER: This version of ntop is the CURRENT
stable version Thu 24 Feb 2005 12:14:16 PM PST NOTE: -L |
--use-syslog=facility not specified, child processes will log to the default
(24).
Here is the output with ntop -d.
Thu Feb 24 12:16:55 2005 Initializing gdbm databases Thu Feb 24 12:16:55
2005 ntop will be started as user nobody Thu Feb 24 12:16:55 2005 ntop
v.3.1 (Dag Apt RPM Repository) MT Thu Feb 24 12:16:55 2005 Configured on
Feb 23 2005 18:02:38, built on Feb 23 2005 18:05:22.
Thu Feb 24 12:16:55 2005 Copyright 1998-2004 by Luca Deri <[EMAIL PROTECTED]>
Thu Feb 24 12:16:55 2005 Get the freshest ntop from http://www.ntop.org/
Thu Feb 24 12:16:55 2005 Initializing ntop Thu Feb 24 12:16:55 2005
Checking eth0 for additional devices Thu Feb 24 12:16:55 2005 Resetting
traffic statistics for device eth0 Thu Feb 24 12:16:55 2005 DLT: Device 0
[eth0] is 1, mtu 1514, header 14 Thu Feb 24 12:16:55 2005 Initializing gdbm
databases Thu Feb 24 12:16:55 2005 VENDOR: Loading MAC address table.
Thu Feb 24 12:16:55 2005 VENDOR: Checking for MAC address table file Thu
Feb 24 12:16:55 2005 VENDOR: File '/etc/ntop/specialMAC.txt.gz' does not need to be reloaded
Thu Feb 24 12:16:55 2005 VENDOR: ntop continues ok Thu Feb 24 12:16:55 2005
VENDOR: Checking for MAC address table file Thu Feb 24 12:16:55 2005
VENDOR: File '/etc/ntop/oui.txt.gz' does not need to be reloaded Thu Feb 24
12:16:55 2005 VENDOR: ntop continues ok Thu Feb 24 12:16:55 2005
Fingeprint: Loading signature file.
Thu Feb 24 12:16:55 2005 Fingeprint: ...loaded 1697 records Thu Feb 24
12:16:55 2005 INIT: Bye bye: I'm becoming a daemon...
Thu Feb 24 12:16:55 2005 INIT: Parent process is exiting (this is normal)
And from the log dump on the web interface
Thu 24 Feb 2005 12:16:55 PM PST I18N: Default language (from ntop host) is 'en_US' Thu 24 Feb 2005 12:16:55 PM PST I18N: This instance of ntop supports 0 additional language(s) Thu 24 Feb 2005 12:16:55 PM PST IP2CC: Checking for IP address <-> Country Code mapping file Thu 24 Feb 2005 12:16:55 PM PST IP2CC: Loading file '/etc/ntop/p2c.opt.table.gz' Thu 24 Feb 2005 12:16:58 PM PST IP2CC: ...found 52395 lines Thu 24 Feb 2005 12:16:58 PM PST GDVERCHK: Guessing at libgd version Thu 24 Feb 2005 12:16:58 PM PST GDVERCHK: ... as 1.8.4 Thu 24 Feb 2005 12:16:58 PM PST Initializing external applications Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Packet processor thread running... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (16386) for network packet analyser Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Fingerprint scan thread running... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (32771) for fingerprinting Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Idle host scan thread running... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (49156) for idle hosts detection Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Address resolution thread running... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (65541) for DNS address resolution Thu 24 Feb 2005 12:16:58 PM PST Calling plugin start functions (if any) Thu 24 Feb 2005 12:16:58 PM PST CHKVER: Checking current ntop version at version.ntop.org/version.xml Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Initializing web server Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Initializing tcp/ip socket connections for web server Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Initialized socket, port 3000, address (any) Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Waiting for HTTP connections on port 3000 Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Starting web server Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: web connections thread (15685) started... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (98311) for web server Thu 24 Feb 2005 12:16:58 PM PST Note: SIGPIPE handler set (ignore) Thu 24 Feb 2005 12:16:58 PM PST Listening on [eth0] Thu 24 Feb 2005 12:16:58 PM PST WEB: ntop's web server is now processing requests Thu 24 Feb 2005 12:16:58 PM PST Loading Plugins Thu 24 Feb 2005 12:16:58 PM PST Searching for plugins in /usr/lib/ntop/plugins Thu 24 Feb 2005 12:16:58 PM PST LASTSEEN: Welcome to LastSeenWatchPlugin. (C) 1999 by Andrea Marangoni Thu 24 Feb 2005 12:16:58 PM PST ICMP: Welcome to icmpWatchPlugin. (C) 1999-2004 by Luca Deri Thu 24 Feb 2005 12:16:58 PM PST NETFLOW: Welcome to NetFlow.(C) 2002-04 by Luca Deri Thu 24 Feb 2005 12:16:58 PM PST PDA: Welcome to PDAPlugin. (C) 2001-2004 by L.Deri and W.Brock Thu 24 Feb 2005 12:16:58 PM PST RRD: Welcome to rrdPlugin. (C) 2002-04 by Luca Deri. Thu 24 Feb 2005 12:16:58 PM PST SFLOW: Welcome to sFlow.(C) 2002-04 by Luca Deri Thu 24 Feb 2005 12:16:58 PM PST SNMP: Welcome to snmpPlugin. (C) 2004 by F.Fusco and G.Giardina Thu 24 Feb 2005 12:16:58 PM PST XML: Welcome to xmldump plugin. (C) 2003-2004 by Burton Strauss Thu 24 Feb 2005 12:16:58 PM PST Calling plugin start functions (if any) Thu 24 Feb 2005 12:16:58 PM PST RRD: Welcome to the RRD plugin Thu 24 Feb 2005 12:16:58 PM PST RRD: Mask for new directories is 0700 Thu 24 Feb 2005 12:16:58 PM PST RRD: Mask for new files is 0066 Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: rrd thread (0) started Thu 24 Feb 2005 12:16:58 PM PST RRD: Started thread (114696) for data collection. Thu 24 Feb 2005 12:16:58 PM PST Now running as requested user 'nobody' (99:99) Thu 24 Feb 2005 12:16:58 PM PST INIT: Created pid file (/var/ntop/ntop.pid) Thu 24 Feb 2005 12:16:58 PM PST Note: Reporting device initally set to 0 [eth0] (merged) Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: pcapDispatch(eth0) thread running... Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (131081) for network packet sniffing on eth0 Thu 24 Feb 2005 12:16:59 PM PST CHKVER: Version file is from 'version.ntop.org'
When run with -d I get no captured packets. I notice that the checkver does not seem to finish in the ntop -d. Could it be hanging there? ntop does put the interface in promisc mode whether it is ntop plain or ntop -d.
Terrence
Terrence Martin wrote:
Hi,
I am running ntop 3.1 on a RHEL3 (Whitebox) system.
I have installed using pre-compiled binaries from Dag Wiers site, as well as rebuilding the RPM myself and installing that. I have not tried the tar ball.
Kernel 2.4.21-15.0.3.EL
The underlying hardware is a Via EPIA M6000 with a added tulip based ethernet card
The problem I am having is that ntop only seems to properly capture packets if I do not give it any command line options.
If I run ntop plain as root it starts up and listens to the default port 3000. I connect and get graphs for all the current data. If I run ntop with a switch the interface still comes up but the interface reports no packets captured.
eg. ntop -d or ntop -d -L or using /etc/ntop.conf
Does anyone know what might be causing this issue?
The other thing I noticed is that when I hit crtl-c to stop the plain command line ntop I often got a segfault when it closed. Not sure if that is normal.
Also is there an archive for this list?
Thanks for any suggestions,
Terrence
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
