Hi Gregoire, please file a bug on https://github.com/ntop/nProbe <https://github.com/ntop/nProbe> and attach a pcap file for reproducing it
Regards Luca > On 17 Dec 2015, at 15:21, [email protected] wrote: > > Hello, > > I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an issue > with nprobe and L2TP tunnelled traffic. Here is the command I launch : > > [root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr -T > "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT > %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID > %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 --tunnel > > I'd expect to get records like > "122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|000054B5|0000B5AB| > 117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|00006304|0000BB56| > " > I get some of them, but most of my records are not correctly decapsulated and > I usually get records like that : > > 52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|00000000|00000000| > 52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|00000000|00000000| > > As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. > However, I neither get the tunneled IP address or the tunnel informations (I > obfuscated IP informations, replacing them with IP_IN_TUNNEL and L2TP_IP). > ~75% of flows are concerned. > > I am pretty sure the problem comes from the decapsulation and it's not a > false positive as if it was, src port and dest port would be 1701. > > When I try to use it in debug mode I get a segfault (which I don't get > without the --tunnel option) : > > [root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr -T > "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT > %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID > %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR" -V 9 --smart-udp-frags -N 0 > --debug --tunnel > 17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license > (/etc/nprobe.license) [Missing license file] > 17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR: > ***************************************************** > 17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: ** > ** > 17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: ** Switching to DEMO MODE > (missing valid license) ** > 17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: ** > ** > 17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: ** Create your nProbe license at > ** > 17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: ** > http://www.nmon.net/mklicense/ ** > 17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: ** > ** > 17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR: > ***************************************************** > 17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR: > *************************************************************** > 17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO version > limited to 25000 flows export. * > 17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR: > *************************************************************** > 17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins > 17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from > /usr/local/lib/nprobe/plugins > datagramSourceIP 0.0.0.0 > datagramSize 48 > unixSecondsUTC 1450365578 > datagramVersion 5 > agentSubId 0 > agent 192.168.1.1 > packetSequenceNo 1084445 > sysUpTime 2429093100 > samplesInPacket 4 > startSample ---------------------- > sampleType_tag 0:2 > sampleType COUNTERSSAMPLE > sampleSequenceNo 187645 > sourceId 0:1 > counterBlock_tag 2176:0 > skipping unknown counters_sample_element: 2176:0 len=0 > counterBlock_tag 568615:598 > skipping unknown counters_sample_element: 568615:598 len=0 > endSample ---------------------- > unexpected end of datagram after sample 1 of 4 > datagramSourceIP 0.0.0.0 > datagramSize 48 > unixSecondsUTC 1450365578 > datagramVersion 5 > agentSubId 0 > agent 192.168.1.1 > packetSequenceNo 1084446 > sysUpTime 2429093100 > samplesInPacket 10 > startSample ---------------------- > sampleType_tag 0:1 > sampleType FLOWSAMPLE > sampleSequenceNo 11443 > sourceId 0:2 > meanSkipCount 50 > samplePool 8912896 > dropEvents 0 > inputPort multiple 181563990 > outputPort 0 > flowBlock_tag 0:0 > skipping unknown flow_sample_element: 0:0 len=-2147483648 > Segmentation fault > > When I compare with what I get in a pcap, I can see that in my pcap file I > almost don't get any packet > > Is there a performance issue (it doesn't seem so, CPU stays low) ? Is there a > fix somewhere, or did I miss something ? > > Thank you very much, > Regards, > Grégoire > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
