Re: [Nfsen-discuss] nfsen FHS'd on Debian Jessie

Peter Haag Thu, 27 Mar 2014 01:52:27 -0700

There will be an NfSen update, which fixes the Perl issues as well as
other bugs. It should be ready by the end of the month.


Use optarg for nfcapd args, as already pointed out by Borja

Regards

        - Peter

On 03/24/2014 04:44 PM, Alfredo Sola wrote:
> 
>       Good day,
> 
>       I have been using now and then nfsen/nfdump for some years, but I don't 
> claim to be an expert.
> 
>       As a platform for detecting trouble early (we could call that VEDA, 
> yes? Very Early DDoS Alert :) it is as good as things can conceivably be, in 
> my opinion. It is also a very convenient way to peek on network traffic. I'd 
> say that it fulfills those design goals quite nicely.
> 
>       In my latest implementation, I am struggling with two things: Make it 
> work with a directory layout as FHS as possible, and script some early 
> response when trouble comes down the pipes.
> 
>       As for the first question, I have 'apt-get nfdump' and that works, but 
> have been unable to make nfsen work. It does start nfcapd among some 
> complains about Perl (which is at version 5.18.2, which I understand should 
> work) and I can nfdump stuff out of the nfcapd files, but the web page says, 
> "Frontend - Backend version missmatch!" and "No data available!". I have been 
> searching this list in particular and the web in general, and applied the 
> session patch, but nothing helped.
> 
>       I noticed there was at one point a mentoring request on Debian to pack 
> nfsen up, but it was withdrawn. Lack of interest? I'd love to be able to 
> apt-get install nfsen and have things just work, and I'm willing to put down 
> some resources towards that.
> 
>       Regarding the second question, I notice that there is currently no way 
> to have nfsen start nfcapd with custom args. I want to start nfcapd with -x 
> /usr/local/bin/somescript %d/%f so that I can run a custom nfdump analysis as 
> soon as a five-minute period is done, but for that the only solution is to 
> either edit NfSenRC.pm (and therefore when updating one needs to remember 
> patching it up again), or use something like incron. So I'd like to make that 
> a feature request, to provide support for a -x parameter or custom additional 
> parameters in nfsen.conf.
> 
>       Thanks for any pointers, answers, ideas and cluebaits.
> 
>       System information:
> 
> --------------------------------8<--------------------------------
> $ dpkg -l librrds-perl
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                       Version            Architecture       
> Description
> +++-==========================-==================-==================-=========================================================
> ii  librrds-perl               1.4.7-2.1          amd64              
> time-series data storage and display system (Perl interfa
> --------------------------------8<--------------------------------
> $ nfdump -V
> nfdump: Version: 1.6.8p1 $Date: 2012-11-10 12:40:54 +0100 (Sat, 10 Nov 2012) $
> --------------------------------8<--------------------------------
> root@monitor1:~# nfsen -V
> Subroutine Lookup::pack_sockaddr_in6 redefined at 
> /usr/share/perl/5.18/Exporter.pm line 66.
>  at /usr/local/bin/libexec/Lookup.pm line 43.
> Subroutine Lookup::unpack_sockaddr_in6 redefined at 
> /usr/share/perl/5.18/Exporter.pm line 66.
>  at /usr/local/bin/libexec/Lookup.pm line 43.
> Subroutine Lookup::sockaddr_in6 redefined at /usr/share/perl/5.18/Exporter.pm 
> line 66.
>  at /usr/local/bin/libexec/Lookup.pm line 43.
> Subroutine AbuseWhois::pack_sockaddr_in6 redefined at 
> /usr/share/perl/5.18/Exporter.pm line 66.
>  at /usr/local/bin/libexec/AbuseWhois.pm line 42.
> Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at 
> /usr/share/perl/5.18/Exporter.pm line 66.
>  at /usr/local/bin/libexec/AbuseWhois.pm line 42.
> Subroutine AbuseWhois::sockaddr_in6 redefined at 
> /usr/share/perl/5.18/Exporter.pm line 66.
>  at /usr/local/bin/libexec/AbuseWhois.pm line 42.
> Subroutine AbuseWhois::pack_sockaddr_in6 redefined at 
> /usr/local/bin/libexec/AbuseWhois.pm line 44.
> Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at 
> /usr/local/bin/libexec/AbuseWhois.pm line 44.
> Subroutine AbuseWhois::sockaddr_in6 redefined at 
> /usr/local/bin/libexec/AbuseWhois.pm line 44.
> /usr/local/bin/nfsen: 1.3.6p1 $Id: nfsen 53 2012-01-23 16:36:02Z peter $
> --------------------------------8<--------------------------------
> $ egrep -v '(^#|^$)' /etc/nfsen/nfsen.conf
> $BASEDIR = "/var/cache/nfdump";
> $BINDIR="/usr/local/bin";
> $LIBEXECDIR="${BINDIR}/libexec";
> $CONFDIR="/etc/nfsen";
> $HTMLDIR    = "/srv/mynicenfsenweb";
> $DOCDIR="${HTMLDIR}/doc";
> $VARDIR="${BASEDIR}/var";
> $PIDDIR="/run/nfsen";
> $PROFILESTATDIR="${BASEDIR}/profiles-stat";
> $PROFILEDATADIR="${BASEDIR}/profiles-data";
> $BACKEND_PLUGINDIR="${BASEDIR}/plugins";
> $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
> $PREFIX  = '/usr/bin';
> $USER    = "www-data";
> $WWWUSER  = "www-data";
> $WWWGROUP = "www-data";
> $BUFFLEN = 200000;
> $SUBDIRLAYOUT = 1;
> $ZIPcollected  = 1;
> $ZIPprofiles   = 1;
> $PROFILERS = 2;
> $DISKLIMIT = 95;
> $PROFILERS = 6;
> %sources = (
>     'r1'        => { 'port' => '9996', 'IP' => '10.2.3.2', 'col' => '#0000FF' 
> },
> );
> $low_water = 90;
> $syslog_facility = 'local3';
> @plugins = (
>     # profile    # module
>     # [ '*',     'demoplugin' ],
> );
> %PluginConf = (
>       # For plugin demoplugin
>       demoplugin => {
>               # scalar
>               param2 => 42,
>               # hash
>               param1 => { 'key' => 'value' },
>       },
>       # for plugin otherplugin
>       otherplugin => [
>               # array
>               'mary had a little lamb'
>       ],
> );
> $MAIL_FROM   = 'r...@me.com';
> $SMTP_SERVER = 'localhost';
> $MAIL_BODY     = q{
> Alerta: '@alert@' en @timeslot@
> };
> 1;
> --------------------------------8<--------------------------------
> Some syslog:
> Mar 24 16:20:00 monitor1 nfcapd[1840]: Ident: 'r1' Flows: 168458, Packets: 
> 9271494, Bytes: 1978520360, Sequence Errors: 3, Bad Packets: 0
> Mar 24 16:20:00 monitor1 nfcapd[1840]: Total ignored packets: 0
> Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10206
> Mar 24 16:20:15 monitor1 nfsen[10206]: Cmd Decode: signal
> Mar 24 16:20:15 monitor1 nfsen[10206]: Cmd Decode: quit
> Mar 24 16:20:15 monitor1 nfsen[1934]: Signal 'start-periodic'
> Mar 24 16:20:15 monitor1 nfsen[1934]: Run periodic at Mon Mar 24 16:20:00 2014
> Mar 24 16:20:15 monitor1 nfsen[1934]: Prepare profiling './live'
> Mar 24 16:20:15 monitor1 nfsen[1934]: 1 channels/alerts to profile
> Mar 24 16:20:15 monitor1 nfsen[1934]: Limit profilers: 1
> Mar 24 16:20:15 monitor1 nfsen[10207]: profile opts: .#~pps#8#pps#r1 for 
> profiler 0
> Mar 24 16:20:15 monitor1 nfsen[10207]: profiler 0 started
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10206] terminated with no 
> exit value
> Mar 24 16:20:15 monitor1 nfprofile[10208]: Process line '.#~pps#8#pps#r1#012'
> Mar 24 16:20:15 monitor1 nfprofile[10208]: Setup channel 'pps' in profile 
> '~pps' group '.', channellist 'r1'
> Mar 24 16:20:15 monitor1 nfsen[10207]: profiler 0 finished
> Mar 24 16:20:15 monitor1 nfsen[1934]: Update profile live in group .
> Mar 24 16:20:15 monitor1 nfsen[1934]: Add channel size 930033664
> Mar 24 16:20:15 monitor1 nfsen[1934]: Set new profile size: 930033664
> Mar 24 16:20:15 monitor1 nfsen[1934]: Add .:live:201403241615 for plugin 
> processing
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> traffic-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 337.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> traffic-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 346.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> traffic-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 356.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> traffic-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 366.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> packets-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 337.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> packets-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 346.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> packets-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 356.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> packets-day: Legend set but no color: r1 at 
> /usr/local/bin/libexec/NfSenRRD.pm line 366.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> flows-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
> line 337.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> flows-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
> line 346.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> flows-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
> line 356.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Unable to create graph: No such file or 
> directory
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error GenGraph: Profile: live, 
> flows-day: Legend set but no color: r1 at /usr/local/bin/libexec/NfSenRRD.pm 
> line 366.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Error graph update: Error GenGraph: 
> Profile: live, flows-day: Legend set but no color: r1
> Mar 24 16:20:15 monitor1 nfsen[1934]: Run plugins for 201403241615
> Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10210
> Mar 24 16:20:15 monitor1 nfsen[10210]: Cmd Decode: run-plugins
> Mar 24 16:20:15 monitor1 nfsen[10210]: Plugin Cycle: ., live, 201403241615
> Mar 24 16:20:15 monitor1 nfsen[10210]: Cmd Decode: quit
> Mar 24 16:20:15 monitor1 nfsen[1934]: Run plugins done.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Check alerts for Mon Mar 24 16:15:00 
> 2014
> Mar 24 16:20:15 monitor1 nfsen[1934]: Process alert 'pps'
> Mar 24 16:20:15 monitor1 nfsen[1934]: alert 'pps': conditions based on total 
> flow summary
> Mar 24 16:20:15 monitor1 nfsen[1934]: condition 0: evaluated to False
> Mar 24 16:20:15 monitor1 nfsen[1934]: Resulted condition: False
> Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' condition == false
> Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Status: 1.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Blocks: 0.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' Info  : .
> Mar 24 16:20:15 monitor1 nfsen[1934]: Alert 'pps' done.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Check alerts done.
> Mar 24 16:20:15 monitor1 nfsen[1934]: Run expire at Mon Mar 24 16:20:00 2014
> Mar 24 16:20:15 monitor1 nfsen[1934]: Expire profile live group . low water 
> mark: 90%%
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10210] terminated with no 
> exit value
> Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Include nfcapd bookeeping 
> record in /var/cache/nfdump/profiles-data/./live/r1
> Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired files:      0
> Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired file size:  0 B
> Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire: Expired time range: 0 sec
> Mar 24 16:20:15 monitor1 nfsen[1934]: nfexpire:
> Mar 24 16:20:15 monitor1 nfsen[1934]: End expire at Mon Mar 24 16:20:00 2014
> Mar 24 16:20:15 monitor1 nfsen[1935]: connection on UNIX socket
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm server started: 10214
> Mar 24 16:20:15 monitor1 nfsen[10214]: Cmd Decode: signal
> Mar 24 16:20:15 monitor1 nfsen[10214]: Cmd Decode: quit
> Mar 24 16:20:15 monitor1 nfsen[1934]: Signal 'end-periodic'
> Mar 24 16:20:15 monitor1 nfsen[10214]: Cleanup Routine
> Mar 24 16:20:15 monitor1 nfsen[1935]: comm child[10214] terminated with no 
> exit value
> Mar 24 16:22:31 monitor1 nfsen[1935]: connection on UNIX socket
> Mar 24 16:22:31 monitor1 nfsen[1935]: comm server started: 10265
> Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-globals
> Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-du
> Mar 24 16:22:31 monitor1 nfsen[10265]: comm child[10266] terminated with no 
> exit value
> Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: get-profile
> Mar 24 16:22:31 monitor1 nfsen[10265]: Cmd Decode: quit
> Mar 24 16:22:31 monitor1 nfsen[1935]: comm child[10265] terminated with no 
> exit value
> 

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] nfsen FHS'd on Debian Jessie

Reply via email to