Send Ntop-misc mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Ntop-misc digest..."
Today's Topics:
1. Re: Problem of netflow v9 export with nprobe 6.0 (Ben
WIlliams) (Li Hui)
2. Re: Problem with e1000e pf_ring transparent_mode=2 (Chris Wakelin)
3. Broadcom Netxtreme PF_RING module (Chris Wakelin)
4. Re: Problem of netflow v9 export with nprobe 6.0 (Luca Deri)
(Ben WIlliams)
----------------------------------------------------------------------
Message: 1
Date: Mon, 1 Nov 2010 20:54:15 +0800
From: "Li Hui" <[email protected]>
To: <[email protected]>
Subject: Re: [Ntop-misc] Problem of netflow v9 export with nprobe 6.0
(Ben WIlliams)
Message-ID: <1afc61bad08a4a92859180db61ab1...@lenovo06980cdb>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version Number | Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| sysUpTime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UNIX Secs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This Count field in the netflow packet header.
--------------------------------------------------
From: <[email protected]>
Sent: Monday, November 01, 2010 7:00 PM
To: <[email protected]>
Subject: Ntop-misc Digest, Vol 77, Issue 1
Send Ntop-misc mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Ntop-misc digest..."
Today's Topics:
1. Re: Problem of netflow v9 export with nprobe 6.0 (Luca Deri)
(Li Hui)
2. Re: Problem of netflow v9 export with nprobe 6.0 (Ben WIlliams)
----------------------------------------------------------------------
Message: 1
Date: Sun, 31 Oct 2010 22:13:40 +0800
From: "Li Hui" <[email protected]>
To: <[email protected]>
Subject: Re: [Ntop-misc] Problem of netflow v9 export with nprobe 6.0
(Luca Deri)
Message-ID: <ea797992f0cb4f5eb66f143c8aa8d...@lenovo06980cdb>
Content-Type: text/plain; format=flowed; charset="ISO-8859-1";
reply-type=original
Hi Luca,
I use following command to export netflow v9
#/usr/local/nprobe6/bin/nprobe -n '127.0.0.1:2055' -i 'eth0' -P
/var/data/flows -V 9 -T '%PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT
%L4_DST_PORT %IPV4_SRC_ADDR %IPV4_DST_ADDR %SRC_AS %DST_AS %IN_BYTES
%IN_PKTS %SRC_VLAN %DST_VLAN %LAST_SWITCHED %FIRST_SWITCHED %INPUT_SNMP
%OUTPUT_SNMP %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC
%SERVER_NW_DELAY_SEC
%SERVER_NW_DELAY_USEC %RETRANSMITTED_IN_PKTS'
Now, I use tcpdump to capture the netflow packet exported.
# tcpdump -i lo -X
The result is as follows:
09:58:01.493930 IP localhost.46876 > localhost.iop: UDP, length 992
0x0000: 4500 03fc 0000 4000 4011 38ef 7f00 0001 e.....@[email protected].....
0x0010: 7f00 0001 b71c 0807 03e8 01fc 0009 0201 ................
0x0020: 0000 8ec2 4ccd 75e9 0000 0000 0000 0000 ....L.u.........
0x0030: 0000 00bc 0101 0016 0004 0001 0005 0001 ................
0x0040: 0006 0001 0007 0002 000b 0002 0008 0004 ................
0x0050: 000c ..
..
09:58:01.496524 IP localhost.46876 > localhost.iop: UDP, length 964
0x0000: 4500 03e0 0000 4000 4011 390b 7f00 0001 e.....@[email protected].....
0x0010: 7f00 0001 b71c 0807 03cc 01e0 0009 0201 ................
0x0020: 0000 8ec2 4ccd 75e9 0000 0001 0000 0000 ....L.u.........
0x0030: 0101 03b0 1100 0000 35e0 32a0 2400 420a ........5.2.$.B.
0x0040: 0002 0f00 0000 0000 0000 0000 0000 9a00 ................
0x0050: 0000 ..
I found the count field in the netflow header is always 0x0201.
My platform is CentOS 5.5.
My nProbe copy and the demo copy on the website both have this problem.
Thanks for any help.
Hui
------------------------------
Message: 2
Date: Mon, 1 Nov 2010 09:47:57 +1300
From: Ben WIlliams <[email protected]>
To: [email protected]
Subject: Re: [Ntop-misc] Problem of netflow v9 export with nprobe 6.0
Message-ID:
<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
Which count field do you mean?
2010/10/30 Li Hui <[email protected]>:
Hi,
When I try to export netflow v9 flows using nprobe 6.0, I found the
count
field in the netflow packet header is always 513 when decoded.
Then I use wireshark to decode the packet, it says the count field is
513
too.
Did anyone meet this problem? Is it a bug of the new version?
Thanks.
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
------------------------------
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
End of Ntop-misc Digest, Vol 77, Issue 1
****************************************
------------------------------
Message: 2
Date: Mon, 01 Nov 2010 16:56:34 +0000
From: Chris Wakelin <[email protected]>
To: [email protected]
Subject: Re: [Ntop-misc] Problem with e1000e pf_ring
transparent_mode=2
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
It works OK for me in Suricata; I haven't tried snort yet.
What do you get from "ethtool -i" (or "modinfo e1000e")? I get
driver: e1000e
version: 1.0.15-NAPI
firmware-version: 5.6-2
bus-info: 0000:0a:00.1
Did you unload and reload the module? I found that transparent_mode=2
didn't work for me until I did!
Best Wishes,
Chris
On Thu Oct 21 22:25:43 CEST 2010 Jose Pablo Ferrero wrote
Hello,
I'm trying to setup a system using pf_ring in transparent_mode=2 and
snort
2.9. The network device I'm using for sniffing is an
Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
Controller
using e1000e driver.
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, [email protected]
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
------------------------------
Message: 3
Date: Mon, 01 Nov 2010 17:11:01 +0000
From: Chris Wakelin <[email protected]>
To: [email protected]
Subject: [Ntop-misc] Broadcom Netxtreme PF_RING module
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I've noticed that the Broadcom Netxtreme driver seems to depend on two
header files from the iSCSI drivers:
-rw-r--r-- root/root 7004 2009-12-03 03:51
linux-source-2.6.32/drivers/scsi/bnx2i/57xx_iscsi_constants.h
-rw-r--r-- root/root 36895 2009-12-03 03:51
linux-source-2.6.32/drivers/scsi/bnx2i/57xx_iscsi_hsi.h
I've now managed to build it using the dkms method suggested in the
Suricata docs (which involves hacking the include paths), but I imagine
it's much the same using the standard way. I've attached a patch that I
think will put the two header files in the right place.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, [email protected]
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bnx2-57xx.patch.gz
Type: application/gzip
Size: 5897 bytes
Desc: not available
URL:
<http://listgateway.unipi.it/pipermail/ntop-misc/attachments/20101101/350ddb51/attachment-0001.bin>
------------------------------
Message: 4
Date: Tue, 2 Nov 2010 09:38:22 +1300
From: Ben WIlliams <[email protected]>
To: [email protected]
Subject: Re: [Ntop-misc] Problem of netflow v9 export with nprobe 6.0
(Luca Deri)
Message-ID:
<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
The flows generated on my nprobe6 have Count either 0x0201 or 0x0202.
One packet was only length 172 but has count 0x0201.
09:12:09.080960 IP 143.96.131.228.38284 > 143.96.143.105.iop: UDP, length
172
0x0000: 4500 00c8 0000 4000 3d11 0b17 8f60 83e4 e.....@.=....`..
0x0010: 8f60 8f69 958c 0807 00b4 a4ed 0009 0201 .`.i............
0x0020: 3c26 a694 4ccf 1f26 0002 2522 0300 0000 <&..L..&..%"....
0x0030: 0101 0098 8f60 818e 8f60 1da4 0000 0000 .....`...`......
0x0040: 0000 0000 0000 0001 0000 0034 3c25 76b3 ...........4<%v.
0x0050: 3c25 <%
--
Ben
On Mon, Nov 1, 2010 at 3:13 AM, Li Hui <[email protected]> wrote:
Hi Luca,
I use following command to export netflow v9
#/usr/local/nprobe6/bin/nprobe -n '127.0.0.1:2055' -i 'eth0' -P
/var/data/flows -V 9 -T '%PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT
%L4_DST_PORT %IPV4_SRC_ADDR %IPV4_DST_ADDR %SRC_AS %DST_AS %IN_BYTES
%IN_PKTS %SRC_VLAN %DST_VLAN %LAST_SWITCHED %FIRST_SWITCHED %INPUT_SNMP
%OUTPUT_SNMP %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC
%SERVER_NW_DELAY_SEC
%SERVER_NW_DELAY_USEC %RETRANSMITTED_IN_PKTS'
Now, I use tcpdump to capture the netflow packet exported.
# tcpdump -i lo -X
The result is as follows:
09:58:01.493930 IP localhost.46876 > localhost.iop: UDP, length 992
? ? ? 0x0000: ?4500 03fc 0000 4000 4011 38ef 7f00 0001 ?e.....@[email protected].....
? ? ? 0x0010: ?7f00 0001 b71c 0807 03e8 01fc 0009 0201 ?................
? ? ? 0x0020: ?0000 8ec2 4ccd 75e9 0000 0000 0000 0000 ?....L.u.........
? ? ? 0x0030: ?0000 00bc 0101 0016 0004 0001 0005 0001 ?................
? ? ? 0x0040: ?0006 0001 0007 0002 000b 0002 0008 0004 ?................
? ? ? 0x0050: ?000c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ..
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?..
09:58:01.496524 IP localhost.46876 > localhost.iop: UDP, length 964
? ? ? 0x0000: ?4500 03e0 0000 4000 4011 390b 7f00 0001 ?e.....@[email protected].....
? ? ? 0x0010: ?7f00 0001 b71c 0807 03cc 01e0 0009 0201 ?................
? ? ? 0x0020: ?0000 8ec2 4ccd 75e9 0000 0001 0000 0000 ?....L.u.........
? ? ? 0x0030: ?0101 03b0 1100 0000 35e0 32a0 2400 420a ?........5.2.$.B.
? ? ? 0x0040: ?0002 0f00 0000 0000 0000 0000 0000 9a00 ?................
? ? ? 0x0050: ?0000 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ..
I found the count field in the netflow header is always 0x0201.
My platform is CentOS 5.5.
My nProbe copy and the demo copy on the website both have this problem.
Thanks for any help.
Hui
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
------------------------------
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
End of Ntop-misc Digest, Vol 77, Issue 2
****************************************
