subject:"\[Ntop\-misc\] Tunnel option applied only for 25% of packets"

Re: [Ntop-misc] Tunnel option applied only for 25% of packets

2015-12-18 Thread gregoire . leroy


Hi Luca,

Thank you for your answer, I indeed have created the issue : 
https://github.com/ntop/nProbe/issues/18


Thank you,
Regards,
Grégoire Leroy

Le 2015-12-17 16:28, Luca Deri a écrit :

Hi Gregoire,
please file a bug on https://github.com/ntop/nProbe [2] and attach a
pcap file for reproducing it

Regards Luca


On 17 Dec 2015, at 15:21, gregoire.le...@retenodus.net wrote:

Hello,

I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an
issue with nprobe and L2TP tunnelled traffic. Here is the command I
launch :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I
sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N
0 --tunnel

I'd expect to get records like
"122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|54B5|B5AB|
117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|6304|BB56|
"
I get some of them, but most of my records are not correctly
decapsulated and I usually get records like that :

52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|||
52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|||

As you can see, L4_SRC_PORT and L4_DST_PORT are correctly
decapsulated. However, I neither get the tunneled IP address or the
tunnel informations (I obfuscated IP informations, replacing them
with IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.

I am pretty sure the problem comes from the decapsulation and it's
not a false positive as if it was, src port and dest port would be
1701.

When I try to use it in debug mode I get a segfault (which I don't
get without the --tunnel option) :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I
sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR"
-V 9 --smart-udp-frags -N 0 --debug --tunnel
17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license
(/etc/nprobe.license) [Missing license file]
17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR:
*
17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: ** Switching to DEMO
MODE (missing valid license) **
17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: ** Create your nProbe
license at **
17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **
http://www.nmon.net/mklicense/ [1] **
17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: ** **
17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR:
*
17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR:
***
17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO
version limited to 25000 flows export. *
17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR:
***
17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins
17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from
/usr/local/lib/nprobe/plugins
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084445
sysUpTime 2429093100
samplesInPacket 4
startSample --
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 187645
sourceId 0:1
counterBlock_tag 2176:0
skipping unknown counters_sample_element: 2176:0 len=0
counterBlock_tag 568615:598
skipping unknown counters_sample_element: 568615:598 len=0
endSample --
unexpected end of datagram after sample 1 of 4
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084446
sysUpTime 2429093100
samplesInPacket 10
startSample --
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 11443
sourceId 0:2
meanSkipCount 50
samplePool 8912896
dropEvents 0
inputPort multiple 181563990
outputPort 0
flowBlock_tag 0:0
skipping unknown flow_sample_element: 0:0 len=-2147483648
Segmentation fault

When I compare with what I get in a pcap, I can see that in my pcap
file I almost don't get any packet

Is there a performance issue (it doesn't seem so, CPU stays low) ?
Is there a fix somewhere, or did I miss something ?

Thank you very much,
Regards,
Grégoire
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc




Links:
--
[1] http://www.nmon.net/mklicense/
[2] https://github.com/ntop/nProbe

___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


___
Ntop-misc mailing list

[Ntop-misc] Tunnel option applied only for 25% of packets

2015-12-17 Thread gregoire . leroy


Hello,

I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an 
issue with nprobe and L2TP tunnelled traffic. Here is the command I 
launch :


[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr 
-T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR 
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK 
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 
--tunnel


I'd expect to get records like
"122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|54B5|B5AB|
117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|6304|BB56|
"
I get some of them, but most of my records are not correctly 
decapsulated and I usually get records like that :


52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|||
52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|||

As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. 
However, I neither get the tunneled IP address or the tunnel 
informations (I obfuscated IP informations, replacing them with 
IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.


I am pretty sure the problem comes from the decapsulation and it's not a 
false positive as if it was, src port and dest port would be 1701.


When I try to use it in debug mode I get a segfault (which I don't get 
without the --tunnel option) :


[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr 
-T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR 
%L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK 
%UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR" -V 
9 --smart-udp-frags -N 0 --debug --tunnel
17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license 
(/etc/nprobe.license) [Missing license file]
17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR: 
*
17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: **   
  **
17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: **  Switching to DEMO MODE 
(missing valid license) **
17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: **   
  **
17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: **  Create your nProbe 
license at  **
17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **   
http://www.nmon.net/mklicense/**
17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: **   
  **
17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR: 
*
17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR: 
***
17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO 
version limited to 25000 flows export.  *
17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR: 
***

17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins
17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from 
/usr/local/lib/nprobe/plugins

datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084445
sysUpTime 2429093100
samplesInPacket 4
startSample --
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 187645
sourceId 0:1
counterBlock_tag 2176:0
skipping unknown counters_sample_element: 2176:0 len=0
counterBlock_tag 568615:598
skipping unknown counters_sample_element: 568615:598 len=0
endSample   --
unexpected end of datagram after sample 1 of 4
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084446
sysUpTime 2429093100
samplesInPacket 10
startSample --
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 11443
sourceId 0:2
meanSkipCount 50
samplePool 8912896
dropEvents 0
inputPort multiple 181563990
outputPort 0
flowBlock_tag 0:0
skipping unknown flow_sample_element: 0:0 len=-2147483648
Segmentation fault

When I compare with what I get in a pcap, I can see that in my pcap file 
I almost don't get any packet


Is there a performance issue (it doesn't seem so, CPU stays low) ? Is 
there a fix somewhere, or did I miss something ?


Thank you very much,
Regards,
Grégoire
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] Tunnel option applied only for 25% of packets

2015-12-17 Thread Luca Deri

Hi Gregoire,
please file a bug on https://github.com/ntop/nProbe 
 and attach a pcap file for reproducing it

Regards Luca

> On 17 Dec 2015, at 15:21, gregoire.le...@retenodus.net wrote:
> 
> Hello,
> 
> I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an issue 
> with nprobe and L2TP tunnelled traffic. Here is the command I launch :
> 
> [root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr -T 
> "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT 
> %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID 
> %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 --tunnel
> 
> I'd expect to get records like
> "122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|54B5|B5AB|
> 117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|6304|BB56|
> "
> I get some of them, but most of my records are not correctly decapsulated and 
> I usually get records like that :
> 
> 52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|||
> 52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|||
> 
> As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. 
> However, I neither get the tunneled IP address or the tunnel informations (I 
> obfuscated IP informations, replacing them with IP_IN_TUNNEL and L2TP_IP). 
> ~75% of flows are concerned.
> 
> I am pretty sure the problem comes from the decapsulation and it's not a 
> false positive as if it was, src port and dest port would be 1701.
> 
> When I try to use it in debug mode I get a segfault (which I don't get 
> without the --tunnel option) :
> 
> [root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr -T 
> "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT 
> %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID 
> %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR" -V 9 --smart-udp-frags -N 0 
> --debug --tunnel
> 17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license 
> (/etc/nprobe.license) [Missing license file]
> 17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR: 
> *
> 17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: **
>  **
> 17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: **  Switching to DEMO MODE 
> (missing valid license) **
> 17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: **
>  **
> 17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: **  Create your nProbe license at 
>  **
> 17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **   
> http://www.nmon.net/mklicense/**
> 17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: **
>  **
> 17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR: 
> *
> 17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR: 
> ***
> 17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO version 
> limited to 25000 flows export.  *
> 17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR: 
> ***
> 17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins
> 17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from 
> /usr/local/lib/nprobe/plugins
> datagramSourceIP 0.0.0.0
> datagramSize 48
> unixSecondsUTC 1450365578
> datagramVersion 5
> agentSubId 0
> agent 192.168.1.1
> packetSequenceNo 1084445
> sysUpTime 2429093100
> samplesInPacket 4
> startSample --
> sampleType_tag 0:2
> sampleType COUNTERSSAMPLE
> sampleSequenceNo 187645
> sourceId 0:1
> counterBlock_tag 2176:0
> skipping unknown counters_sample_element: 2176:0 len=0
> counterBlock_tag 568615:598
> skipping unknown counters_sample_element: 568615:598 len=0
> endSample   --
> unexpected end of datagram after sample 1 of 4
> datagramSourceIP 0.0.0.0
> datagramSize 48
> unixSecondsUTC 1450365578
> datagramVersion 5
> agentSubId 0
> agent 192.168.1.1
> packetSequenceNo 1084446
> sysUpTime 2429093100
> samplesInPacket 10
> startSample --
> sampleType_tag 0:1
> sampleType FLOWSAMPLE
> sampleSequenceNo 11443
> sourceId 0:2
> meanSkipCount 50
> samplePool 8912896
> dropEvents 0
> inputPort multiple 181563990
> outputPort 0
> flowBlock_tag 0:0
> skipping unknown flow_sample_element: 0:0 len=-2147483648
> Segmentation fault
> 
> When I compare with what I get in a pcap, I can see that in my pcap file I 
> almost don't get any packet
> 
> Is there a performance issue (it doesn't seem so, CPU stays low) ? Is there a 
> fix somewhere, or did I miss something ?
> 
> Thank you very much,
> Regards,
> Grégoire
> ___
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

___

Re: [Ntop-misc] Tunnel option applied only for 25% of packets

[Ntop-misc] Tunnel option applied only for 25% of packets

Re: [Ntop-misc] Tunnel option applied only for 25% of packets

3 matches

Site Navigation

Mail list logo

Footer information