2016-11-01 23:20 GMT+03:00 Brian Candler <b.cand...@pobox.com>: > On 01/11/2016 14:05, SancheZZS . wrote: >> >> generated flow >> 13:40:28.003356 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003373 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003392 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003410 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003427 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003444 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003462 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> 13:40:28.003479 IP 10.11.108.251.46004 > 10.8.1.74.2055: UDP, length 1464 >> >> 10.8.1.74 ip of LXC. > > > Where is that tcpdump being captured? Is it actually inside the container? > If not, I wonder whether the packets are being routed into the container > properly. >
It in the container. Also tshark show in container 1 0.000000 10.11.108.251 -> 10.8.1.74 CFLOW 498 total: 9 (v5) flows 2 0.002761 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 3 0.002768 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 4 0.002774 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 5 0.002779 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 6 0.002784 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 7 0.002789 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 8 0.002796 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 9 0.002800 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 10 0.002803 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 11 0.002807 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 12 0.002811 10.11.108.251 -> 10.8.1.74 CFLOW 1506 total: 30 (v5) flows 13 5.000031 10.11.108.251 -> 10.8.1.74 CFLOW 1026 total: 20 (v5) flows I have checked nfcapd with strace root@datastor:~# strace -p 13720 strace: Process 13720 attached recvfrom(4, 0x12a4ac0, 65535, 0, 0x7fffe3842fa0, 0x7fffe3842f74) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call) alarm(0) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1544, ...}) = 0 lseek(5, 0, SEEK_SET) = 0 write(5, "\f\245\1\0\1\0\0\0\0\0\0\0rbth\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(5, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 close(5) = 0 stat("/var/tmp/2016/11/03", {st_mode=S_IFDIR|0755, st_size=152, ...}) = 0 rename("/var/tmp/nfcapd.current.13718", "/var/tmp/2016/11/03/nfcapd.201611031630") = 0 stat("/var/tmp/2016/11/03/nfcapd.201611031630", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0 semop(1867776, [{0, -1, 0}], 1) = 0 semop(1867776, [{0, 1, 0}], 1) = 0 sendto(3, "<30>Nov 3 16:35:10 nfcapd[13720"..., 115, MSG_NOSIGNAL, NULL, 0) = 115 open("/var/tmp/nfcapd.current.13718", O_RDWR|O_CREAT|O_TRUNC, 0644) = 5 write(5, "\f\245\1\0\1\0\0\0\0\0\0\0rbth\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(5, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 sendto(3, "<30>Nov 3 16:35:10 nfcapd[13720"..., 59, MSG_NOSIGNAL, NULL, 0) = 59 alarm(300) = 0 recvfrom(4, ^Cstrace: Process 13720 detached <detached ...> The strings below arouse much interest . recvfrom(4, 0x12a4ac0, 65535, 0, 0x7fffe3842fa0, 0x7fffe3842f74) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss