Hi Paolo, could you send me the output of ldd pmacctd so I can see the versions of the libraries being used? also the ouput of pmacctd -V
Thanks, Steve On 07/09/2020 03:06 PM, Paolo Lucente wrote: I did test on a Debian 10: 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1 (2020-01-26) i686 GNU/Linux As i was suspecting, passing the pcap you sent me through a daemon compiled on this box went fine (that is, i can't reproduce the issue). From what i see, by the way, this is not something related to nDPI. Paolo On 09/07/2020 18:19, Steve Clark wrote: Thanks for checking, could you tell what distro and version you tested on? Also when I compile on 32 bit I get a lot of warning of redefines between ndpi.h and pmacct.h do you get those also? On 07/09/2020 11:55 AM, Paolo Lucente wrote: Hi Steve, I do have avail of a i686-based VM. I can't say everything is tested on i686 but i tend to check every now and then that nothing fundamental is broken. I took the example config you used, compiled master code with the same config switches as you did (essentially --enable-ndpi) and had no joy reproducing the issue. You could send me privately your capture and i may try with that one (although i am not highly positive it will be a successful test); or you could arrange me access to your box to read the pcap. Let me know. Paolo On 09/07/2020 14:54, Steve Clark wrote: Hi Paolo, I have compiled master with nDPI on both 32bit and 64bit CentOS 6 systems. The 64 bit pmacctd seems to work fine. But I get bogus byte counts when I run the 32bit version against the same pcap file. Just wondered if you have done any testing on 32bit intel system with the above combination. below is the output when using 32bit pmacctd - first the pmacctd invocation then the nfacctd output pmacct/src/pmacctd -f ./mypaolo.conf -I v1.7.5_v9_ndpi_class_paolo.pcap INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git (20200707-01) INFO ( default/core ): '--enable-ndpi' '--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/var/lib/pgsql/sclark/mypaolo.conf'. INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd 0.9.7 software, Copyright 2002 Damien Miller <d...@mindrot.org><mailto:d...@mindrot.org> All rights reserved. INFO ( p4p1/nfprobe ): TCP timeout: 3600s INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s INFO ( p4p1/nfprobe ): UDP timeout: 300s INFO ( p4p1/nfprobe ): ICMP timeout: 300s INFO ( p4p1/nfprobe ): General timeout: 3600s INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s INFO ( p4p1/nfprobe ): Expiry interval: 60s INFO ( default/core ): PCAP capture file, sleeping for 2 seconds INFO ( p4p1/nfprobe ): Exporting flows to [172.24.109.157]:rrac WARN ( p4p1/nfprobe ): Shutting down on user request. INFO ( default/core ): OK, Exiting ... src/nfacctd -f examples/nfacctd-print.conf.example INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.6-git (20200623-00) INFO ( default/core ): '--enable-ndpi' '--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/var/lib/pgsql/sclark/pmacct/examples/nfacctd-print.conf.example'. INFO ( default/core ): waiting for NetFlow/IPFIX data on :::5678 INFO ( foo/print ): cache entries=16411 base cache memory=56322552 bytes WARN ( foo/print ): no print_output_file and no print_output_lock_file defined. INFO ( foo/print ): *** Purging cache - START (PID: 21926) *** CLASS SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS BYTES NetFlow 172.24.110.104 172.24.109.247 41900 2055 udp 26 1576253010996 NetFlow 172.24.110.104 172.24.109.247 58131 2055 udp 21 1576253008620 INFO ( foo/print ): *** Purging cache - END (PID: 21926, QN: 2/2, ET: 0) *** ^CINFO ( foo/print ): *** Purging cache - START (PID: 21559) *** INFO ( foo/print ): *** Purging cache - END (PID: 21559, QN: 0/0, ET: X) *** INFO ( default/core ): OK, Exiting ... Now the output when using and the same .pcap file 64bit version of pmacctd sudo /root/pmacctd-176 -f ./mypaolo.conf -I v1.7.5_v9_ndpi_class_paolo.pcap INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git (20200623-00) INFO ( default/core ): '--enable-ndpi' '--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/var/lib/pgsql/sclark/mypaolo.conf'. INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd 0.9.7 software, Copyright 2002 Damien Miller <d...@mindrot.org><mailto:d...@mindrot.org> All rights reserved. INFO ( default/core ): PCAP capture file, sleeping for 2 seconds INFO ( p4p1/nfprobe ): TCP timeout: 3600s INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s INFO ( p4p1/nfprobe ): UDP timeout: 300s INFO ( p4p1/nfprobe ): ICMP timeout: 300s INFO ( p4p1/nfprobe ): General timeout: 3600s INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s INFO ( p4p1/nfprobe ): Expiry interval: 60s INFO ( p4p1/nfprobe ): Exporting flows to [172.24.109.157]:rrac WARN ( p4p1/nfprobe ): Shutting down on user request. INFO ( default/core ): OK, Exiting ... src/nfacctd -f examples/nfacctd-print.conf.example INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.6-git (20200623-00) INFO ( default/core ): '--enable-ndpi' '--with-ndpi-static-lib=/usr/local/lib/' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/var/lib/pgsql/sclark/pmacct/examples/nfacctd-print.conf.example'. INFO ( default/core ): waiting for NetFlow/IPFIX data on :::5678 INFO ( foo/print ): cache entries=16411 base cache memory=56322552 bytes WARN ( foo/print ): no print_output_file and no print_output_lock_file defined. INFO ( foo/print ): *** Purging cache - END (PID: 17495, QN: 0/0, ET: X) *** INFO ( foo/print ): *** Purging cache - START (PID: 17707) *** CLASS SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS BYTES NetFlow 172.24.110.104 172.24.109.247 41900 2055 udp 26 13364 NetFlow 172.24.110.104 172.24.109.247 58131 2055 udp 21 10988 INFO ( foo/print ): *** Purging cache - END (PID: 17707, QN: 2/2, ET: 0) *** INFO ( foo/print ): *** Purging cache - START (PID: 18127) *** cat mypaolo.conf !interface: p4p1 snaplen: 700 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, class pcap_filter: not net 172.24.106.0/24 plugins: nfprobe[p4p1] nfprobe_version: 9 nfprobe_receiver: 172.24.109.157:5678 any suggestions - or more test or information I can provide? Thanks, Steve Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI). _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI). Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI).
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists