Your message dated Sat, 18 Sep 2021 14:40:37 +0200
with message-id
<caht6kzglncb5k0brc-qaier3ardte2pt_8_rtkamcyqfxrz...@mail.gmail.com>
and subject line Closing
has caused the Debian Bug report #142159,
regarding Suspicious packet logging a bit broken.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
142159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=142159
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ntop
Version: -12
Severity: normal
Hi
I have enabled the suspicious packet logging (with the new
-O option written by me). Now I realize that the pcap output
is a bit broken.
Log is here. The file grows but tcpdump says it is truncated
at the same place. Do you know what the problem is? Is there
a option to tcpdump that I should use?
I had to change the outpus some so that I do not show what
network i had problem on. xxx->%internalnet%
---
root@wally:/var/log/ntop# ls -l
total 68
-rw-rw-rw- 1 root root 4290 Apr 10 11:23
ntop-suspicious-pkts.eth0.pcap
-rw-rw-rw- 1 ntop nogroup 3433 Apr 10 11:23 ntop.access.log
drwxr-xr-x 2 root root 4096 Apr 10 11:21 old
root@wally:/var/log/ntop# tcpdump -r ntop-suspicious-pkts.eth0.pcap
11:21:17.740891 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:19.311314 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:20.899438 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:24.849614 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:26.381943 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:27.903338 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:51.757517 napoleon.acc.umu.se.www > wally.%internalnet%.2737: R 0:0(0)
ack 2751895494 win 0
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:23:03.882008 wally.%internalnet%.2754 > optiserver.%internalnet%.pop3: R
2821956542:2821956542(0) ack 204155218 win 5840 (DF)
11:23:18.052808 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 4161097752 win 0
11:23:18.469712 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
11:23:18.970472 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
tcpdump: pcap_loop: truncated dump file
root@wally:/var/log/ntop# tcpdump -r ntop-suspicious-pkts.eth0.pcap
11:21:17.740891 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:19.311314 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:20.899438 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:24.849614 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:26.381943 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:27.903338 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:51.757517 napoleon.acc.umu.se.www > wally.%internalnet%.2737: R 0:0(0)
ack 2751895494 win 0
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:23:03.882008 wally.%internalnet%.2754 > optiserver.%internalnet%.pop3: R
2821956542:2821956542(0) ack 204155218 win 5840 (DF)
11:23:18.052808 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 4161097752 win 0
11:23:18.469712 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
11:23:18.970472 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
tcpdump: pcap_loop: truncated dump file
root@wally:/var/log/ntop# tcpdump -r ntop-suspicious-pkts.eth0.pcap
11:21:17.740891 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:19.311314 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:20.899438 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:24.849614 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:26.381943 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:27.903338 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:51.757517 napoleon.acc.umu.se.www > wally.%internalnet%.2737: R 0:0(0)
ack 2751895494 win 0
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:23:03.882008 wally.%internalnet%.2754 > optiserver.%internalnet%.pop3: R
2821956542:2821956542(0) ack 204155218 win 5840 (DF)
11:23:18.052808 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 4161097752 win 0
11:23:18.469712 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
11:23:18.970472 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
tcpdump: pcap_loop: truncated dump file
root@wally:/var/log/ntop# ls -l
total 68
-rw-rw-rw- 1 root root 4290 Apr 10 11:23
ntop-suspicious-pkts.eth0.pcap
-rw-rw-rw- 1 ntop nogroup 3433 Apr 10 11:23 ntop.access.log
drwxr-xr-x 2 root root 4096 Apr 10 11:21 old
root@wally:/var/log/ntop# ls -l
total 68
-rw-rw-rw- 1 root root 4290 Apr 10 11:23
ntop-suspicious-pkts.eth0.pcap
-rw-rw-rw- 1 ntop nogroup 3433 Apr 10 11:23 ntop.access.log
drwxr-xr-x 2 root root 4096 Apr 10 11:21 old
root@wally:/var/log/ntop# tcpdump -r ntop-suspicious-pkts.eth0.pcap
11:21:17.740891 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:19.311314 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:20.899438 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:24.849614 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:26.381943 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:27.903338 if-2-3.core2.Zurich.Teleglobe.net > optiserver.%internalnet%:
icmp: time exceeded in-transit
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:39.838353 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:21:51.757517 napoleon.acc.umu.se.www > wally.%internalnet%.2737: R 0:0(0)
ack 2751895494 win 0
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:22:21.838936 wally.%internalnet% > theboss.%internalnet%: icmp:
wally.%internalnet% udp port ingreslock unreachable [tos 0xc0]
11:23:03.882008 wally.%internalnet%.2754 > optiserver.%internalnet%.pop3: R
2821956542:2821956542(0) ack 204155218 win 5840 (DF)
11:23:18.052808 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 4161097752 win 0
11:23:18.469712 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
11:23:18.970472 indigo.%internalnet%.445 > dhcp201.%internalnet%.2290: R 0:0(0)
ack 1 win 0
tcpdump: pcap_loop: truncated dump file
root@wally:/var/log/ntop# ls -l
total 68
-rw-rw-rw- 1 root root 31469 Apr 10 11:45
ntop-suspicious-pkts.eth0.pcap
-rw-rw-rw- 1 ntop nogroup 29092 Apr 10 11:46 ntop.access.log
drwxr-xr-x 2 root root 4096 Apr 10 11:21 old
root@wally:/var/log/ntop#
---
Regards,
// Ola
--
-------------- Ola Lundqvist, System Designer -----------------
/ [email protected] Teknikringen 1E \
| [email protected] 583 30 LINKĂ–PING |
| Kontor: +46 (0)13-21 81 81 Mobil: +46 (0)70-332 1551 |
| http://www.euronetics.se/ UIN/icq: 62515865 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
--- End Message ---
--- Begin Message ---
As noted by Guy in the latest entry (from 2004), this is probably
working as intended.
--- End Message ---
