One thing you need to check is whether there were any changes in the
snapshots:
-rw-rw-r-- 1 bstrauss bstrauss 2487467 May 8 17:06
/home/ntop/source/ntop-02-05-09.tgz
-rw-rw-r-- 1 bstrauss bstrauss 2495499 May 9 17:06
/home/ntop/source/ntop-02-05-10.tgz
-rw-rw-r-- 1 bstrauss bstrauss 2495500 May 10 17:05
/home/ntop/source/ntop-02-05-11.tgz
-rw-rw-r-- 1 bstrauss bstrauss 2495500 May 11 17:09
/home/ntop/source/ntop-02-05-12.tgz
-rw-rw-r-- 1 bstrauss bstrauss 2495500 May 12 17:05
/home/ntop/source/ntop-02-05-13.tgz
Basically 11/12/13 are the same.
The final message, gives a likely suspect (48768 is an odd number, given
deviceId 1 just extended to 16K..., and in fact the message is generated by
checkSessionIdx():
May 13 09:47:19 tc3net ntop[23690]: Index error idx=48768/deviceId=1:0-16383
@ netflowPlugin.c:185]
Which is this (185 is the srcHost = line):
dstHostIdx = getHostInfo(&b, NULL, 0, 1,
myGlobals.netFlowDeviceId);
dstHost =
myGlobals.device[actualDeviceId].hash_hostTraffic[checkSessionIdx(dstHostIdx
)];
/* traceEvent(TRACE_INFO, "dstHostIdx: %d", dstHostIdx); */
srcHostIdx = getHostInfo(&a, NULL, 0, 1,
myGlobals.netFlowDeviceId);
srcHost =
myGlobals.device[actualDeviceId].hash_hostTraffic[checkSessionIdx(srcHostIdx
)];
/* traceEvent(TRACE_INFO, "srcHostIdx: %d", srcHostIdx); */
if((srcHost == NULL) || (dstHost == NULL)) continue;
getHostInfo() is in hash.c (around 484)...
a & b are set from the incomming record (which maybe corrupted?? Incorrect??
Wrong Version?? Perhaps we need some error checking here...)
I would suggest putting some debugging type messages use traceEvent() in the
netflow receive routine to print out what you are getting in... And
probably add some testing of the received message (right version, proper
length, etc.)...
You can always diff the two versions or use the cvs:
[bstrauss@tigger plugins]$ cvs log netflowPlugin.c | head -n 20
RCS file: /export/home/ntop/ntop/plugins/netflowPlugin.c,v
Working file: netflowPlugin.c
head: 2.13
branch:
locks: strict
access list:
symbolic names:
keyword substitution: kv
total revisions: 13; selected revisions: 13
description:
----------------------------
revision 2.13
date: 2002/05/09 09:23:12; author: deri; state: Exp; lines: +1 -3
Added patch courtesy of
Axel Thimm <[EMAIL PROTECTED]>
Added ability to run ntop as a service under Win32 (NT/2K/XP)
----------------------------
To figure out what's changed...
[bstrauss@tigger plugins]$ cvs diff -U2 -r2.12 -r2.13 netflowPlugin.c
Index: netflowPlugin.c
===================================================================
RCS file: /export/home/ntop/ntop/plugins/netflowPlugin.c,v
retrieving revision 2.12
retrieving revision 2.13
diff -U2 -r2.12 -r2.13
--- netflowPlugin.c 2002/04/26 08:15:43 2.12
+++ netflowPlugin.c 2002/05/09 09:23:12 2.13
@@ -73,6 +73,4 @@
char value[32];
int sockopt = 1;
- struct hostent *hostAddr;
- struct sockaddr_in dest;
myGlobals.netFlowOutSocket = socket(AF_INET, SOCK_DGRAM, 0);
@@ -108,5 +106,5 @@
#endif
- if(!(myGlobals.netFlowInSocket > 0)) return;
+ if(!(myGlobals.netFlowInSocket > 0)) return(NULL);
traceEvent(TRACE_INFO, "Welcome to NetFlow: listening on UDP port %d...",
myGlobals.netFlowInPort);
although I can't see what that would have hurt...
Or it could be a change in hash.c's routine too (off hand that looks more
likely)...
bstrauss@tigger cvs]$ cvs log hash.c | head -n 40
RCS file: /export/home/ntop/ntop/hash.c,v
Working file: hash.c
head: 2.67
branch:
locks: strict
access list:
symbolic names:
rel-2-0: 1.105
REL_1-3-2: 1.1.1.1
NTOP: 1.1.1
keyword substitution: kv
total revisions: 174; selected revisions: 174
description:
----------------------------
revision 2.67
date: 2002/05/13 13:39:34; author: deri; state: Exp; lines: +2 -2
Fix for endianess detection
----------------------------
revision 2.66
date: 2002/05/13 13:22:03; author: deri; state: Exp; lines: +80 -69
1. Removed serialCache.db
2. Added a fix courtesy of
Christian Vogel <[EMAIL PROTECTED]>
that removes some warnings when ntop is started with -n
3. Fixed a memory leak
----------------------------
revision 2.65
date: 2002/05/09 09:23:04; author: deri; state: Exp; lines: +0 -2
Added patch courtesy of
Axel Thimm <[EMAIL PROTECTED]>
Added ability to run ntop as a service under Win32 (NT/2K/XP)
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Michael Baird
Sent: Monday, May 13, 2002 9:49 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] Snapshot 13-5-2002 Problems
Something has happened in the last few snapshots, I'm using the
netflowplugin, the 9-5-2002 seemed to work ok, 10,11,12, and now 13 are
crashing out quickly, here's my syslog results of a complete run. Looked
like it died trying to extend the has beyond 16384.
Regards
MIKE
May 13 09:01:16 tc3net ntop[23684]: Initializing network devices...
May 13 09:01:16 tc3net ntop[23684]: ntop v.2.0.99 MT [i686-pc-linux-gnu]
(05/13/02 08:57:31 AM build)
May 13 09:01:16 tc3net ntop[23684]: Listening on [eth0]
May 13 09:01:16 tc3net ntop[23684]: Copyright 1998-2002 by Luca Deri
<[EMAIL PROTECTED]>
May 13 09:01:16 tc3net ntop[23684]: Get the freshest ntop from
http://www.ntop.org/
May 13 09:01:16 tc3net ntop[23684]: Initializing...
May 13 09:01:16 tc3net ntop[23684]: Loading plugins (if any)...
May 13 09:01:16 tc3net ntop[23684]: Searching plugins in
/usr/local/lib/ntop/plugins
May 13 09:01:16 tc3net ntop[23684]: Welcome to NetFlow. (C) 2002 by Luca
Deri.
May 13 09:01:16 tc3net ntop[23684]: Welcome to LastSeenWatchPlugin. (C)
1999 by Andrea Marangoni.
May 13 09:01:16 tc3net ntop[23684]: Welcome to nfsWatchPlugin. (C) 1999
by Luca Deri.
May 13 09:01:16 tc3net ntop[23684]: Welcome to sFlowPlugin. (C) 2002 by
Luca Deri.
May 13 09:01:16 tc3net ntop[23684]: Welcome to PDAPlugin. (C) 2001-2002
by L.Deri and W.Brock
May 13 09:01:16 tc3net ntop[23684]: Welcome to icmpWatchPlugin. (C) 1999
by Luca Deri.
May 13 09:01:16 tc3net ntop[23684]: Resetting traffic statistics...
May 13 09:01:16 tc3net ntop[23684]: Started thread (1026) for network
packet analyser.
May 13 09:01:16 tc3net ntop[23684]: Started thread (2051) for idle hosts
detection.
May 13 09:01:16 tc3net ntop[23684]: Started thread (3076) for DNS
address resolution.
May 13 09:01:16 tc3net ntop[23684]: Started thread (4101) for address
purge.
May 13 09:01:16 tc3net ntop[23684]: Initializing plugins (if any)...
May 13 09:01:16 tc3net ntop[23684]: NetFlow collector listening on port
2055.
May 13 09:01:16 tc3net ntop[23684]: NetFlow export disabled
May 13 09:01:16 tc3net ntop[23690]: netflowMainLoop()
May 13 09:01:16 tc3net ntop[23690]: Welcome to NetFlow: listening on UDP
port 2055...
May 13 09:01:16 tc3net ntop[23690]: Started thread (5126) for netFlow.
May 13 09:01:16 tc3net ntop[23684]: Waiting for HTTP connections on port
3000...
May 13 09:01:16 tc3net ntop[23684]: Started thread (6151) for web
server.
May 13 09:01:16 tc3net ntop[23684]: Sniffying...
May 13 09:01:16 tc3net ntop[23684]: Started thread (7176) for network
packet sniffing on eth0.
May 13 09:01:19 tc3net ntop[23690]: Extending hash size
[newSize=512][deviceId=1]
May 13 09:01:33 tc3net ntop[23690]: Extending hash size
[newSize=1024][deviceId=1]
May 13 09:01:44 tc3net ntop[23690]: Extending hash size
[newSize=2048][deviceId=1]
May 13 09:01:51 tc3net ntop[23691]: Resetting traffic statistics...
May 13 09:01:51 tc3net ntop[23690]: Extending hash size
[newSize=512][deviceId=1]
May 13 09:01:57 tc3net ntop[23690]: Extending hash size
[newSize=1024][deviceId=1]
May 13 09:02:08 tc3net ntop[23690]: Extending hash size
[newSize=2048][deviceId=1]
May 13 09:02:47 tc3net ntop[23690]: Extending hash size
[newSize=4096][deviceId=1]
May 13 09:03:15 tc3net ntop[23692]: Extending hash size
[newSize=512][deviceId=0]
May 13 09:04:49 tc3net ntop[23690]: Extending hash size
[newSize=8192][deviceId=1]
May 13 09:11:28 tc3net ntop[23690]: Extending hash size
[newSize=16384][deviceId=1]
May 13 09:47:19 tc3net ntop[23690]: Index error
idx=48768/deviceId=1:0-16383 @ [netflowPlugin.c:185]
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
