First off, make sure you are stracing the same thread. Each thread does something different - only one per device is the libpcap interface. Linux is a pain because the mapping isn't clear:
Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Started thread (64166832) for network packet analyser Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Started thread (43576240) for fingerprinting Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Started thread (74656688) for idle hosts detection Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Packet processor thread running... Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Fingerprint scan thread running... Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Idle host scan thread running... Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Address resolution thread running... Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Started thread (85146544) for DNS address resolution Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: Started thread (129809328) for web server Feb 24 19:59:18 tigger ntop[2434]: THREADMGMT: web connections thread (2434) started... Feb 24 19:59:19 tigger ntop[2434]: THREADMGMT: rrd thread (116239280) started Feb 24 19:59:19 tigger ntop[2434]: THREADMGMT: Started thread (-1219884112) for network packet sniffing on eth1 Feb 24 19:59:19 tigger ntop[2434]: THREADMGMT: Started thread (-1230373968) for network packet sniffing on eth2 Feb 24 19:59:19 tigger ntop[2434]: THREADMGMT: pcapDispatch(eth1) thread running... Feb 24 19:59:19 tigger ntop[2434]: THREADMGMT: pcapDispatch(eth2) thread running... Shows the POSIX thread #, but the base pid. This: # ps axH -L | grep ntop | sort -n 2434 2434 ? S 0:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2460 ? S 0:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2461 ? S 0:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2462 ? S 0:02 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2463 ? S 0:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2474 ? S 0:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2517 ? S 0:13 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2518 ? S 1:04 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2434 2519 ? S 0:49 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 11232 11232 ? S 0:00 sshd: ntop [priv] 11234 11234 ? S 0:00 sshd: [EMAIL PROTECTED]/0 11388 11388 pts/0 R 0:00 grep ntop Is your best guess for mapping, but the only sure way is via gdb. Attach to the running ntop via gdb <binary> <pid> and check the threads. # ps axf | grep ntop 11232 ? S 0:00 \_ sshd: ntop [priv] 11234 ? S 0:00 \_ sshd: [EMAIL PROTECTED]/0 11357 pts/0 S 0:00 \_ grep ntop 2434 ? S 2:11 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf -d --use-syslog local3 2668 ? S 2:58 /devel/bin/ntop -i eth1,eth2 @/etc/ntopdevel.conf -d --use-syslog local4 --instance devel # gdb /usr/bin/ntop 2434 GNU gdb Red Hat Linux (6.0post-0.20040223.19rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". Attaching to program: /usr/bin/ntop, process 2434 Reading symbols from /usr/lib/libntopreport-3.1.1.so...done. ... Loaded symbols for /usr/lib/ntop/plugins/xmldumpPlugin.so 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (gdb) info threads 9 Thread 64166832 (LWP 2460) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 8 Thread 43576240 (LWP 2461) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 7 Thread 74656688 (LWP 2462) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 6 Thread 85146544 (LWP 2463) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 5 Thread 129809328 (LWP 2474) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 4 Thread 116239280 (LWP 2517) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 3 Thread -1219884112 (LWP 2518) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 2 Thread -1230373968 (LWP 2519) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 1 Thread -1208057728 (LWP 2434) 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 As you look at each thread, you'll see what they're waiting on... E.g.: (gdb) thread 9 [Switching to thread 9 (Thread 64166832 (LWP 2460))]#0 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (gdb) info stack #0 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x0049c704 in [EMAIL PROTECTED] () from /lib/tls/libpthread.so.0 #2 0x00f69544 in ?? () from /usr/lib/libntop-3.1.1.so #3 0x00f56aa0 in waitSem (semId=0xf6abe4) at util.c:2125 #4 0x00f42cda in dequeuePacket (notUsed=0x0) at pbuf.c:2345 #5 0x0049798c in start_thread () from /lib/tls/libpthread.so.0 #6 0x002fb7da in clone () from /lib/tls/libc.so.6 So it's in dequeuePacket - waiting on the semaphore (meaning something's been queued) - normal. (gdb) thread 8 [Switching to thread 8 (Thread 43576240 (LWP 2461))]#0 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (gdb) info stack #0 0x00a967a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x002c67f6 in __nanosleep_nocancel () from /lib/tls/libc.so.6 #2 0x002c6679 in sleep () from /lib/tls/libc.so.6 #3 0x00f59341 in ntop_sleep (secs=150) at util.c:3672 #4 0x00f3ba02 in scanFingerprintLoop (notUsed=0x0) at ntop.c:699 #5 0x0049798c in start_thread () from /lib/tls/libpthread.so.0 #6 0x002fb7da in clone () from /lib/tls/libc.so.6 Fingerprint loop runs every 60s or 5m or whatever ... So sleeping is normal. Etc. If you see a couple of threads in syslog() waiting, that's the log hang. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terrence Martin Sent: Friday, February 25, 2005 1:34 AM To: [email protected] Subject: Re: [Ntop] ntop will not capture packets when options used You might have to be a bit more specific as to what I am looking for. Here is an strace of the parent (ie strace ntop -i eth1). The interface I am listening on is not the one I am connected to. I only get action on the thread I am watching when I send traffic out eth1. (ie I am on eth0). Being local on this machine is not an easy thing. However it is dual homed and I definitely see a difference in what you see in strace from the "working" mode without -d or -L and with -d and -L. recvfrom(5, "\0 [EMAIL PROTECTED]"..., 8232, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x806, if5, pkttype=PACKET_HOST, addr(6)={1, 00901a40dfa8}, [20]) = 60 ioctl(5, SIOCGSTAMP, 0xbe9ffa24) = 0 getpid() = 1782 time(NULL) = 1109319537 getpid() = 1782 time(NULL) = 1109319537 getpid() = 1782 time(NULL) = 1109319537 lseek(7, 13463, SEEK_SET) = 13463 read(7, "1113399297\0dsl093-032-001.snd1.d"..., 84) = 84 time(NULL) = 1109319537 getpid() = 1782 getpid() = 1782 time(NULL) = 1109319537 time(NULL) = 1109319537 getpid() = 1782 time(NULL) = 1109319537 getpid() = 1782 time(NULL) = 1109319537 getpid() = 1782 Here is ntop -d -L. I listen to each thread in turn when I generate data out eth1. I do not get anything like the above showing actual capture taking place. In each case I generated traffic for each strace I ran. [EMAIL PROTECTED] ~# ps auxw|grep ntop nobody 1806 78.0 4.8 46308 23348 ? S 00:20 0:03 ntop -i eth1 -d -L root 1808 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1809 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1810 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1811 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1812 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1813 2.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1815 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1816 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1817 0.0 4.8 46308 23348 ? S 00:20 0:00 ntop -i eth1 -d -L root 1819 0.0 0.1 3652 660 pts/0 S 00:20 0:00 grep ntop [EMAIL PROTECTED] ~# strace -p 1817 Process 1817 attached - interrupt to quit Process 1817 detached [EMAIL PROTECTED] ~# strace -p 1816 Process 1816 attached - interrupt to quit rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0 nanosleep({298, 0}, <unfinished ...> Process 1816 detached [EMAIL PROTECTED] ~# strace -p 1815 Process 1815 attached - interrupt to quit select(12, [11], NULL, NULL, NULL <unfinished ...> Process 1815 detached [EMAIL PROTECTED] ~# strace -p 1813 Process 1813 attached - interrupt to quit Process 1813 detached [EMAIL PROTECTED] ~# strace -p 1812 Process 1812 attached - interrupt to quit Process 1812 detached [EMAIL PROTECTED] ~# strace -p 1811 Process 1811 attached - interrupt to quit rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0 nanosleep({3, 0}, {3, 0}) = 0 rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0 time(NULL) = 1109319673 time(NULL) = 1109319673 gettimeofday({1109319673, 709212}, NULL) = 0 getpid() = 1811 time(NULL) = 1109319673 time(NULL) = 1109319673 getpid() = 1811 getpid() = 1811 time(NULL) = 1109319673 getpid() = 1811 time(NULL) = 1109319673 time(NULL) = 1109319673 getpid() = 1811 time(NULL) = 1109319673 getpid() = 1811 gettimeofday({1109319673, 717618}, NULL) = 0 getpid() = 1811 time(NULL) = 1109319673 time(NULL) = 1109319673 getpid() = 1811 sched_yield() = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0 nanosleep({60, 0}, <unfinished ...> Process 1811 detached [EMAIL PROTECTED] ~# strace -p 1810 Process 1810 attached - interrupt to quit rt_sigprocmask(SIG_SETMASK, [RTMIN], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [RTMIN], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0 nanosleep({72, 0}, <unfinished ...> Process 1810 detached [EMAIL PROTECTED] ~# strace -p 1809 Process 1809 attached - interrupt to quit Process 1809 detached [EMAIL PROTECTED] ~# strace -p 1808 Process 1808 attached - interrupt to quit getppid() = 1806 poll([{fd=0, events=POLLIN}], 1, 2000) = 0 getppid() = 1806 poll([{fd=0, events=POLLIN}], 1, 2000) = 0 getppid() = 1806 poll([{fd=0, events=POLLIN}], 1, 2000) = 0 getppid() = 1806 poll( <unfinished ...> Process 1808 detached [EMAIL PROTECTED] ~# strace -p 1806 Process 1806 attached - interrupt to quit Process 1806 detached [EMAIL PROTECTED] ~# It just seems like ntop is refusing to actually capture packets when -d or -L is used. This despite the fact that ntop is putting the interface in question into promiscuous mode. Is there something that does not happen in -d or -L modes? How does the code path differ? Also this is with a brand new copy of ntop, freshly built from cvs checkout of ntop using the following procedure. ./configure make make install Please let me know if there is any other information I can provide. Terrence Burton Strauss wrote: >Console logs are useless - too much else happens. > >The version check is a separate thread, async because it can take a >while to respond. Still, you can try turning it off... > >When it seems to be hanging, you might try attaching w/ strace. You'll >need to figure the thread->pid process and use -p on each of them. >Don't do this remotely - all the telnet/ssh packets swamp any other effect. > >-----Burton > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Terrence Martin >Sent: Thursday, February 24, 2005 2:09 PM >To: [email protected] >Subject: Re: [Ntop] ntop will not capture packets when options used > >First, I found the archives link. I also noted that someone else posted >a similar problem, but no resolution. > >Here is some more information. Here is the console output when running >ntop without options from the command line. > >Thu Feb 24 12:14:00 2005 Initializing gdbm databases Thu Feb 24 >12:14:00 >2005 ntop will be started as user nobody Thu Feb 24 12:14:00 2005 >ntop >v.3.1 (Dag Apt RPM Repository) MT Thu Feb 24 12:14:00 2005 Configured >on Feb 23 2005 18:02:38, built on Feb 23 2005 18:05:22. >Thu Feb 24 12:14:00 2005 Copyright 1998-2004 by Luca Deri ><[EMAIL PROTECTED]> Thu Feb 24 12:14:00 2005 Get the freshest ntop from >http://www.ntop.org/ Thu Feb 24 12:14:00 2005 Initializing ntop Thu >Feb 24 12:14:00 2005 Checking eth0 for additional devices Thu Feb 24 >12:14:00 2005 Resetting traffic statistics for device eth0 Thu Feb 24 >12:14:00 2005 DLT: Device 0 [eth0] is 1, mtu 1514, header 14 Thu Feb >24 12:14:00 2005 Initializing gdbm databases Thu Feb 24 12:14:00 2005 VENDOR: Loading MAC address table. >Thu Feb 24 12:14:00 2005 VENDOR: Checking for MAC address table file >Thu Feb 24 12:14:00 2005 VENDOR: File '/etc/ntop/specialMAC.txt.gz' >does not need to be reloaded >Thu Feb 24 12:14:00 2005 VENDOR: ntop continues ok Thu Feb 24 12:14:00 >2005 >VENDOR: Checking for MAC address table file Thu Feb 24 12:14:00 2005 >VENDOR: File '/etc/ntop/oui.txt.gz' does not need to be reloaded Thu >Feb 24 12:14:00 2005 VENDOR: ntop continues ok Thu Feb 24 12:14:00 >2005 >Fingeprint: Loading signature file. >Thu Feb 24 12:14:01 2005 Fingeprint: ...loaded 1697 records Thu Feb 24 >12:14:01 2005 ASN: Checking for Autonomous System Number table file >Thu Feb >24 12:14:01 2005 **WARNING** ASN: Unable to open file 'AS-list.txt' >Thu 24 Feb 2005 12:14:01 PM PST I18N: Default language (from ntop >host) is 'en_US' >Thu 24 Feb 2005 12:14:01 PM PST I18N: This instance of ntop supports 0 >additional language(s) Thu 24 Feb 2005 12:14:01 PM PST IP2CC: Checking >for IP address <-> Country Code mapping file Thu 24 Feb 2005 12:14:01 >PM PST >IP2CC: Loading file '/etc/ntop/p2c.opt.table.gz' >Thu 24 Feb 2005 12:14:04 PM PST IP2CC: ...found 52395 lines Thu 24 Feb >2005 >12:14:04 PM PST GDVERCHK: Guessing at libgd version Thu 24 Feb 2005 >12:14:04 PM PST GDVERCHK: ... as 1.8.4 Thu 24 Feb 2005 12:14:04 PM PST >Initializing external applications Thu 24 Feb 2005 12:14:04 PM PST >THREADMGMT: Packet processor thread running... >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (16386) for >network packet analyser Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: >Fingerprint scan thread running... >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (32771) for >fingerprinting Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Idle host >scan thread running... >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (49156) for >idle hosts detection Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: >Address resolution thread running... >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (65541) for >DNS address resolution Thu 24 Feb 2005 12:14:04 PM PST Calling plugin >start functions (if any) Thu 24 Feb 2005 12:14:04 PM PST CHKVER: >Checking current ntop version at version.ntop.org/version.xml Thu 24 >Feb 2005 12:14:04 PM PST >INITWEB: Initializing web server Thu 24 Feb 2005 12:14:04 PM PST INITWEB: >Initializing tcp/ip socket connections for web server Thu 24 Feb 2005 >12:14:04 PM PST INITWEB: Initialized socket, port 3000, address (any) >Thu >24 Feb 2005 12:14:04 PM PST INITWEB: Waiting for HTTP connections on >port 3000 Thu 24 Feb 2005 12:14:04 PM PST INITWEB: Starting web server >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: web connections thread >(15659) started... >Thu 24 Feb 2005 12:14:04 PM PST Note: SIGPIPE handler set (ignore) Thu >24 Feb 2005 12:14:04 PM PST WEB: ntop's web server is now processing >requests Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread >(98311) for web server Thu 24 Feb 2005 12:14:04 PM PST Listening on >[eth0] Thu 24 Feb 2005 >12:14:04 PM PST Loading Plugins Thu 24 Feb 2005 12:14:04 PM PST >Searching for plugins in /usr/lib/ntop/plugins Thu 24 Feb 2005 12:14:04 >PM PST >LASTSEEN: Welcome to LastSeenWatchPlugin. (C) 1999 by Andrea Marangoni >Thu >24 Feb 2005 12:14:04 PM PST ICMP: Welcome to icmpWatchPlugin. (C) >1999-2004 by Luca Deri >Thu 24 Feb 2005 12:14:04 PM PST NETFLOW: Welcome to NetFlow.(C) >2002-04 by Luca Deri Thu 24 Feb 2005 12:14:04 PM PST PDA: Welcome to >PDAPlugin. (C) >2001-2004 by L.Deri and W.Brock >Thu 24 Feb 2005 12:14:04 PM PST RRD: Welcome to rrdPlugin. (C) 2002-04 >by Luca Deri. >Thu 24 Feb 2005 12:14:04 PM PST SFLOW: Welcome to sFlow.(C) 2002-04 by >Luca Deri Thu 24 Feb 2005 12:14:04 PM PST SNMP: Welcome to snmpPlugin. >(C) 2004 by F.Fusco and G.Giardina Thu 24 Feb 2005 12:14:04 PM PST >XML: Welcome to xmldump plugin. (C) >2003-2004 by Burton Strauss >Thu 24 Feb 2005 12:14:04 PM PST Calling plugin start functions (if >any) Thu >24 Feb 2005 12:14:04 PM PST RRD: Welcome to the RRD plugin Thu 24 Feb >2005 >12:14:04 PM PST RRD: Mask for new directories is 0700 Thu 24 Feb 2005 >12:14:04 PM PST RRD: Mask for new files is 0066 Thu 24 Feb 2005 >12:14:04 PM PST THREADMGMT: rrd thread (0) started Thu 24 Feb 2005 >12:14:04 PM PST >RRD: Started thread (114696) for data collection. >Thu 24 Feb 2005 12:14:04 PM PST Now running as requested user 'nobody' >(99:99) >Thu 24 Feb 2005 12:14:04 PM PST INIT: Created pid file >(/var/ntop/ntop.pid) Thu 24 Feb 2005 12:14:04 PM PST Note: Reporting >device initally set to 0 [eth0] (merged) Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: >pcapDispatch(eth0) thread running... >Thu 24 Feb 2005 12:14:04 PM PST THREADMGMT: Started thread (131081) >for network packet sniffing on eth0 Thu 24 Feb 2005 12:14:06 PM PST CHKVER: >Version file is from 'version.ntop.org' >Thu 24 Feb 2005 12:14:06 PM PST CHKVER: as of date is '2004-12-01T17:00:00' >Thu 24 Feb 2005 12:14:06 PM PST CHKVER: This version of ntop is the >CURRENT stable version Thu 24 Feb 2005 12:14:16 PM PST NOTE: -L | >--use-syslog=facility not specified, child processes will log to the >default (24). > > >Here is the output with ntop -d. > >Thu Feb 24 12:16:55 2005 Initializing gdbm databases Thu Feb 24 >12:16:55 >2005 ntop will be started as user nobody Thu Feb 24 12:16:55 2005 >ntop >v.3.1 (Dag Apt RPM Repository) MT Thu Feb 24 12:16:55 2005 Configured >on Feb 23 2005 18:02:38, built on Feb 23 2005 18:05:22. >Thu Feb 24 12:16:55 2005 Copyright 1998-2004 by Luca Deri ><[EMAIL PROTECTED]> Thu Feb 24 12:16:55 2005 Get the freshest ntop from >http://www.ntop.org/ Thu Feb 24 12:16:55 2005 Initializing ntop Thu >Feb 24 12:16:55 2005 Checking eth0 for additional devices Thu Feb 24 >12:16:55 2005 Resetting traffic statistics for device eth0 Thu Feb 24 >12:16:55 2005 DLT: Device 0 [eth0] is 1, mtu 1514, header 14 Thu Feb >24 12:16:55 2005 Initializing gdbm databases Thu Feb 24 12:16:55 2005 VENDOR: Loading MAC address table. >Thu Feb 24 12:16:55 2005 VENDOR: Checking for MAC address table file >Thu Feb 24 12:16:55 2005 VENDOR: File '/etc/ntop/specialMAC.txt.gz' >does not need to be reloaded >Thu Feb 24 12:16:55 2005 VENDOR: ntop continues ok Thu Feb 24 12:16:55 >2005 >VENDOR: Checking for MAC address table file Thu Feb 24 12:16:55 2005 >VENDOR: File '/etc/ntop/oui.txt.gz' does not need to be reloaded Thu >Feb 24 >12:16:55 2005 VENDOR: ntop continues ok Thu Feb 24 12:16:55 2005 >Fingeprint: Loading signature file. >Thu Feb 24 12:16:55 2005 Fingeprint: ...loaded 1697 records Thu Feb 24 >12:16:55 2005 INIT: Bye bye: I'm becoming a daemon... >Thu Feb 24 12:16:55 2005 INIT: Parent process is exiting (this is >normal) > >And from the log dump on the web interface > >Thu 24 Feb 2005 12:16:55 PM PST I18N: Default language (from ntop >host) is 'en_US' >Thu 24 Feb 2005 12:16:55 PM PST I18N: This instance of ntop supports 0 >additional language(s) Thu 24 Feb 2005 12:16:55 PM PST IP2CC: Checking >for IP address <-> Country Code mapping file Thu 24 Feb 2005 12:16:55 >PM PST >IP2CC: Loading file '/etc/ntop/p2c.opt.table.gz' >Thu 24 Feb 2005 12:16:58 PM PST IP2CC: ...found 52395 lines Thu 24 Feb >2005 >12:16:58 PM PST GDVERCHK: Guessing at libgd version Thu 24 Feb 2005 >12:16:58 PM PST GDVERCHK: ... as 1.8.4 Thu 24 Feb 2005 12:16:58 PM PST >Initializing external applications Thu 24 Feb 2005 12:16:58 PM PST >THREADMGMT: Packet processor thread running... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (16386) for >network packet analyser Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: >Fingerprint scan thread running... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (32771) for >fingerprinting Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Idle host >scan thread running... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (49156) for >idle hosts detection Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: >Address resolution thread running... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (65541) for >DNS address resolution Thu 24 Feb 2005 12:16:58 PM PST Calling plugin >start functions (if any) Thu 24 Feb 2005 12:16:58 PM PST CHKVER: >Checking current ntop version at version.ntop.org/version.xml Thu 24 >Feb 2005 12:16:58 PM PST >INITWEB: Initializing web server Thu 24 Feb 2005 12:16:58 PM PST INITWEB: >Initializing tcp/ip socket connections for web server Thu 24 Feb 2005 >12:16:58 PM PST INITWEB: Initialized socket, port 3000, address (any) >Thu >24 Feb 2005 12:16:58 PM PST INITWEB: Waiting for HTTP connections on >port 3000 Thu 24 Feb 2005 12:16:58 PM PST INITWEB: Starting web server >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: web connections thread >(15685) started... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (98311) for >web server Thu 24 Feb 2005 12:16:58 PM PST Note: SIGPIPE handler set >(ignore) Thu 24 Feb 2005 12:16:58 PM PST Listening on [eth0] Thu 24 >Feb 2005 >12:16:58 PM PST WEB: ntop's web server is now processing requests Thu >24 Feb 2005 12:16:58 PM PST Loading Plugins Thu 24 Feb 2005 12:16:58 >PM PST Searching for plugins in /usr/lib/ntop/plugins Thu 24 Feb 2005 >12:16:58 PM PST LASTSEEN: Welcome to LastSeenWatchPlugin. (C) 1999 by >Andrea Marangoni Thu 24 Feb 2005 12:16:58 PM PST ICMP: Welcome to >icmpWatchPlugin. (C) >1999-2004 by Luca Deri Thu 24 Feb 2005 12:16:58 PM PST NETFLOW: >Welcome to >NetFlow.(C) 2002-04 by Luca Deri Thu 24 Feb 2005 12:16:58 PM PST PDA: >Welcome to PDAPlugin. (C) 2001-2004 by L.Deri and W.Brock Thu 24 Feb >2005 >12:16:58 PM PST RRD: Welcome to rrdPlugin. (C) 2002-04 by Luca Deri. >Thu 24 Feb 2005 12:16:58 PM PST SFLOW: Welcome to sFlow.(C) 2002-04 by >Luca Deri Thu 24 Feb 2005 12:16:58 PM PST SNMP: Welcome to snmpPlugin. >(C) 2004 by F.Fusco and G.Giardina Thu 24 Feb 2005 12:16:58 PM PST >XML: Welcome to xmldump plugin. (C) 2003-2004 by Burton Strauss Thu 24 >Feb 2005 12:16:58 PM PST Calling plugin start functions (if any) Thu >24 Feb 2005 12:16:58 PM PST >RRD: Welcome to the RRD plugin Thu 24 Feb 2005 12:16:58 PM PST RRD: >Mask for new directories is 0700 Thu 24 Feb 2005 12:16:58 PM PST RRD: >Mask for new files is 0066 Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: >rrd thread >(0) started Thu 24 Feb 2005 12:16:58 PM PST RRD: Started thread >(114696) for data collection. >Thu 24 Feb 2005 12:16:58 PM PST Now running as requested user 'nobody' >(99:99) Thu 24 Feb 2005 12:16:58 PM PST INIT: Created pid file >(/var/ntop/ntop.pid) Thu 24 Feb 2005 12:16:58 PM PST Note: Reporting >device initally set to 0 [eth0] (merged) Thu 24 Feb 2005 12:16:58 PM >PST >THREADMGMT: pcapDispatch(eth0) thread running... >Thu 24 Feb 2005 12:16:58 PM PST THREADMGMT: Started thread (131081) >for network packet sniffing on eth0 Thu 24 Feb 2005 12:16:59 PM PST CHKVER: >Version file is from 'version.ntop.org' > > >When run with -d I get no captured packets. I notice that the checkver >does not seem to finish in the ntop -d. Could it be hanging there? ntop >does put the interface in promisc mode whether it is ntop plain or ntop -d. > >Terrence > > >Terrence Martin wrote: > > > >>Hi, >> >>I am running ntop 3.1 on a RHEL3 (Whitebox) system. >>I have installed using pre-compiled binaries from Dag Wiers site, as >>well as rebuilding the RPM myself and installing that. I have not >>tried the tar ball. >>Kernel 2.4.21-15.0.3.EL >>The underlying hardware is a Via EPIA M6000 with a added tulip based >>ethernet card >> >>The problem I am having is that ntop only seems to properly capture >>packets if I do not give it any command line options. >> >>If I run ntop plain as root it starts up and listens to the default >>port 3000. I connect and get graphs for all the current data. If I run >>ntop with a switch the interface still comes up but the interface >>reports no packets captured. >> >>eg. ntop -d or ntop -d -L or using /etc/ntop.conf >> >>Does anyone know what might be causing this issue? >> >>The other thing I noticed is that when I hit crtl-c to stop the plain >>command line ntop I often got a segfault when it closed. Not sure if >>that is normal. >> >>Also is there an archive for this list? >> >>Thanks for any suggestions, >> >>Terrence >> >> >> >> >> >> >> >> >>_______________________________________________ >>Ntop mailing list >>[email protected] >>http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> > >_______________________________________________ >Ntop mailing list >[email protected] >http://listgateway.unipi.it/mailman/listinfo/ntop > >_______________________________________________ >Ntop mailing list >[email protected] >http://listgateway.unipi.it/mailman/listinfo/ntop > > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
