Thanks for checking, could you tell what distro and version you tested on?
Also when I compile on 32 bit I get a lot of warning of redefines between
ndpi.h and pmacct.h
do you get those also?
On 07/09/2020 11:55 AM, Paolo Lucente wrote:
Hi Steve,
I do have avail of a i686-based VM. I can't say everything is tested on
i686 but i tend to check every now and then that nothing fundamental is
broken. I took the example config you used, compiled master code with
the same config switches as you did (essentially --enable-ndpi) and had
no joy reproducing the issue.
You could send me privately your capture and i may try with that one
(although i am not highly positive it will be a successful test); or you
could arrange me access to your box to read the pcap. Let me know.
Paolo
On 09/07/2020 14:54, Steve Clark wrote:
Hi Paolo,
I have compiled master with nDPI on both 32bit and 64bit CentOS 6
systems. The 64 bit pmacctd seems
to work fine. But I get bogus byte counts when I run the 32bit version
against the same pcap file.
Just wondered if you have done any testing on 32bit intel system with
the above combination.
below is the output when using 32bit pmacctd - first the pmacctd
invocation then the nfacctd output
pmacct/src/pmacctd -f ./mypaolo.conf -I v1.7.5_v9_ndpi_class_paolo.pcap
INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
1.7.6-git (20200707-01)
INFO ( default/core ): '--enable-ndpi'
'--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/var/lib/pgsql/sclark/mypaolo.conf'.
INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on
softflowd 0.9.7 software, Copyright 2002 Damien Miller <d...@mindrot.org>
All rights reserved.
INFO ( p4p1/nfprobe ): TCP timeout: 3600s
INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s
INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s
INFO ( p4p1/nfprobe ): UDP timeout: 300s
INFO ( p4p1/nfprobe ): ICMP timeout: 300s
INFO ( p4p1/nfprobe ): General timeout: 3600s
INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s
INFO ( p4p1/nfprobe ): Expiry interval: 60s
INFO ( default/core ): PCAP capture file, sleeping for 2 seconds
INFO ( p4p1/nfprobe ): Exporting flows to [172.24.109.157]:rrac
WARN ( p4p1/nfprobe ): Shutting down on user request.
INFO ( default/core ): OK, Exiting ...
src/nfacctd -f examples/nfacctd-print.conf.example
INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.6-git
(20200623-00)
INFO ( default/core ): '--enable-ndpi'
'--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/var/lib/pgsql/sclark/pmacct/examples/nfacctd-print.conf.example'.
INFO ( default/core ): waiting for NetFlow/IPFIX data on :::5678
INFO ( foo/print ): cache entries=16411 base cache memory=56322552 bytes
WARN ( foo/print ): no print_output_file and no print_output_lock_file
defined.
INFO ( foo/print ): *** Purging cache - START (PID: 21926) ***
CLASS SRC_IP
DST_IP SRC_PORT DST_PORT
PROTOCOL PACKETS BYTES
NetFlow 172.24.110.104
172.24.109.247 41900 2055
udp 26 1576253010996
NetFlow 172.24.110.104
172.24.109.247 58131 2055
udp 21 1576253008620
INFO ( foo/print ): *** Purging cache - END (PID: 21926, QN: 2/2, ET: 0) ***
^CINFO ( foo/print ): *** Purging cache - START (PID: 21559) ***
INFO ( foo/print ): *** Purging cache - END (PID: 21559, QN: 0/0, ET: X) ***
INFO ( default/core ): OK, Exiting ...
Now the output when using and the same .pcap file 64bit version of pmacctd
sudo /root/pmacctd-176 -f ./mypaolo.conf -I v1.7.5_v9_ndpi_class_paolo.pcap
INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
1.7.6-git (20200623-00)
INFO ( default/core ): '--enable-ndpi'
'--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/var/lib/pgsql/sclark/mypaolo.conf'.
INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on
softflowd 0.9.7 software, Copyright 2002 Damien Miller <d...@mindrot.org>
All rights reserved.
INFO ( default/core ): PCAP capture file, sleeping for 2 seconds
INFO ( p4p1/nfprobe ): TCP timeout: 3600s
INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s
INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s
INFO ( p4p1/nfprobe ): UDP timeout: 300s
INFO ( p4p1/nfprobe ): ICMP timeout: 300s
INFO ( p4p1/nfprobe ): General timeout: 3600s
INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s
INFO ( p4p1/nfprobe ): Expiry interval: 60s
INFO ( p4p1/nfprobe ): Exporting flows to [172.24.109.157]:rrac
WARN ( p4p1/nfprobe ): Shutting down on user request.
INFO ( default/core ): OK, Exiting ...
src/nfacctd -f examples/nfacctd-print.conf.example
INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.6-git
(20200623-00)
INFO ( default/core ): '--enable-ndpi'
'--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/var/lib/pgsql/sclark/pmacct/examples/nfacctd-print.conf.example'.
INFO ( default/core ): waiting for NetFlow/IPFIX data on :::5678
INFO ( foo/print ): cache entries=16411 base cache memory=56322552 bytes
WARN ( foo/print ): no print_output_file and no print_output_lock_file
defined.
INFO ( foo/print ): *** Purging cache - END (PID: 17495, QN: 0/0, ET: X) ***
INFO ( foo/print ): *** Purging cache - START (PID: 17707) ***
CLASS SRC_IP
DST_IP SRC_PORT DST_PORT
PROTOCOL PACKETS BYTES
NetFlow 172.24.110.104
172.24.109.247 41900 2055
udp 26 13364
NetFlow 172.24.110.104
172.24.109.247 58131 2055
udp 21 10988
INFO ( foo/print ): *** Purging cache - END (PID: 17707, QN: 2/2, ET: 0) ***
INFO ( foo/print ): *** Purging cache - START (PID: 18127) ***
cat mypaolo.conf
!interface: p4p1
snaplen: 700
aggregate: src_host, dst_host, src_port, dst_port, proto, tos, class
pcap_filter: not net 172.24.106.0/24
plugins: nfprobe[p4p1]
nfprobe_version: 9
nfprobe_receiver: 172.24.109.157:5678
any suggestions - or more test or information I can provide?
Thanks,
Steve
Email Confidentiality Notice: The information contained in this
transmission may contain privileged and confidential and/or protected
health information (PHI) and may be subject to protection under the law,
including the Health Insurance Portability and Accountability Act of
1996, as amended (HIPAA). This transmission is intended for the sole use
of the individual or entity to whom it is addressed. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution, printing or copying of this transmission is strictly
prohibited and may subject you to criminal or civil penalties. If you
have received this transmission in error, please contact the sender
immediately and delete this email and any attachments from any computer.
Vaso Corporation and its subsidiary companies are not responsible for
data leaks that result from email messages received that contain
privileged and confidential and/or protected health information (PHI).
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Email Confidentiality Notice: The information contained in this transmission
may contain privileged and confidential and/or protected health information
(PHI) and may be subject to protection under the law, including the Health
Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This
transmission is intended for the sole use of the individual or entity to whom
it is addressed. If you are not the intended recipient, you are notified that
any use, dissemination, distribution, printing or copying of this transmission
is strictly prohibited and may subject you to criminal or civil penalties. If
you have received this transmission in error, please contact the sender
immediately and delete this email and any attachments from any computer. Vaso
Corporation and its subsidiary companies are not responsible for data leaks
that result from email messages received that contain privileged and
confidential and/or protected health information (PHI).
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists