I ended up solving the "PF_RING" interface name issue. Though, I still get a seg fault, but I do not get the RRD warning messages anymore. I believe I'm one step closer.
The seg fault message is: Oct 5 15:56:24 nms ntop[2346]: THREADMGMT[t140276073404576]: ntop RUNSTATE: PREINIT(1) Oct 5 15:56:24 nms ntop[2346]: THREADMGMT[t140276073404576]: ntop RUNSTATE: INIT(2) Oct 5 19:08:30 nms kernel: [11581.091641] ntop[2353]: segfault at fffffff7 ip 00007f949060688d sp 00007f946f37cbe0 error 4 in libc-2.13.so [7f949058a000+18a000] Are you aware of any issues in that version of libc? On Mon, Oct 3, 2011 at 3:28 PM, Jon Schipp <[email protected]> wrote: > Hello Luca, > > I have not renamed the interfaces. > They only seem to be called "PF_RING" in ntop. ifconfig reports normal > names, I'm running multiple instances of snort on different interfaces with > no problems. > I attached some screenshots of what I'm seeing. I run ntop with -i > eth0,eth1,eth2,eth3,eth4 among other non-related options. > > When I click the pencil icon on any interface, which takes me to Edit > Preferences, it shows all the normal interface names i.e. eth0,eth1 etc.. > (picture attached) for each one. > > Thanks > > On Mon, Oct 3, 2011 at 10:30 AM, Luca Deri <[email protected]> wrote: > >> ** >> On 10/03/2011 04:02 PM, Jon Schipp wrote: >> >> Would you happen to know why or how this is happening. I can't see to >> trace it back to "some thing". >> >> Did you rename the interfaces perhaps? Can you please click on the >> "pencil" icon and use three different names for them >> >> Luca >> >> >> Thanks >> >> On Mon, Oct 3, 2011 at 8:20 AM, Luca Deri <[email protected]> wrote: >> >>> Jon >>> it looks to me that the problems is that all your interfaces are named >>> PF_RING. This causes the trouble. >>> >>> Luca >>> >>> On 09/30/2011 06:16 PM, Jon Schipp wrote: >>> >>> Here's some of the logs, it's because of this >>> >>> Sep 29 16:40:34 nms ntop[4403]: **WARNING** RRD: >>> rrd_update(/usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd) error: >>> /usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd: illegal attempt >>> to update using time 1317328834 when last update time is 1317328834 (minimum >>> one second step) >>> Sep 29 16:40:44 nms ntop[4403]: **WARNING** RRD: >>> rrd_update(/usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd) error: >>> /usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd: illegal attempt >>> to update using time 1317328844 when last update time is 1317328844 (minimum >>> one second step) >>> Sep 29 16:40:54 nms ntop[4403]: **WARNING** RRD: >>> rrd_update(/usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd) error: >>> /usr/local/var/ntop/rrd/interfaces/PF_RING/throughput.rrd: illegal attempt >>> to update using time 1317328854 when last update time is 1317328854 (minimum >>> one second step) >>> >>> I get around 30 or so before ntop seg faults. One thing that I notice is >>> a bit different is that ntop uses PF_RING for all the device names. >>> In my browser it will display: >>> Name Device Type Speed ..... >>> PF_RING eth0 Ethernet ... >>> PF_RING eth1 Ethernet ... >>> PR_RING eth2 Ethernet >>> >>> When I first compiled ntop with PF_RING it showed the interface names >>> under "Name" i.e. eth0, eth1 ... >>> whereas now they're all labeled as PF_RING. >>> >>> When the device "Name" in ntop web shows PF_RING it seg faults, when it >>> shows the interface name, it doesn't seg fault. >>> >>> One thing that I changed was that I'm now loading pf_ring from >>> /etc/modules, and then my /etc/network/interfaces file is ran on boot. >>> My interface files just brings up all interfaces, removes arp, turns on >>> promiscuous mode, and sets the mtu to 1514. >>> >>> I tried rmmod pf_ring and rmmod e1000, then loaded each again, and then >>> brought each interface up by hand and it worked, but I can't reproduce it >>> again. Maybe I'm missing a small detail, tried many times. >>> If I rmmod pf_ring and e1000, load them again, and run >>> /etc/init.d/networking restart, I'll get a segfault shortly after I run >>> ntop. >>> *it will then display PF_RING for names in my browser rather than the >>> interface name) >>> >>> I'm not sure why, any pointers? insights? >>> >>> Thanks >>> >>> On Fri, Sep 30, 2011 at 8:36 AM, Jon Schipp <[email protected]>wrote: >>> >>>> I'm having the same issue on the latest stable with PF_RING. >>>> >>>> Sep 29 16:41:04 nms kernel: [ 2667.954156] ntop[4430]: segfault at >>>> 357e ip 000000000000357e sp 00007f472642eaf8 error 14 in ntop >>>> (deleted)[400000+f000] >>>> Sep 29 16:42:27 nms ntop[14702]: THREADMGMT[t140321661016224]: ntop >>>> RUNSTATE: PREINIT(1) >>>> Sep 29 16:42:27 nms ntop[14702]: THREADMGMT[t140321661016224]: ntop >>>> RUNSTATE: INIT(2) >>>> Sep 29 16:44:38 nms ntop[14753]: THREADMGMT[t140020564027552]: ntop >>>> RUNSTATE: PREINIT(1) >>>> Sep 29 16:44:38 nms ntop[14753]: THREADMGMT[t140020564027552]: ntop >>>> RUNSTATE: INIT(2) >>>> Sep 29 17:00:25 nms ntop[8822]: THREADMGMT[t139849837545632]: ntop >>>> RUNSTATE: PREINIT(1) >>>> Sep 29 17:00:25 nms ntop[8822]: THREADMGMT[t139849837545632]: ntop >>>> RUNSTATE: INIT(2) >>>> Sep 29 17:00:54 nms ntop[8846]: THREADMGMT[t140418989541536]: ntop >>>> RUNSTATE: PREINIT(1) >>>> Sep 29 17:00:54 nms ntop[8846]: THREADMGMT[t140418989541536]: ntop >>>> RUNSTATE: INIT(2) >>>> >>>> I have a dump attached. >>>> >>>> Thanks >>>> >>>> On Thu, Sep 29, 2011 at 5:03 PM, Jon Schipp <[email protected]>wrote: >>>> >>>>> Moved to stable, I didn't even know I was using a dev version. I'll see >>>>> if it happens again. >>>>> >>>>> >>>>> On Thu, Sep 29, 2011 at 3:14 PM, Jon Schipp <[email protected]>wrote: >>>>> >>>>>> Hello all, >>>>>> >>>>>> I'm using PF_RING with a PF_RING compiled ntop, e1000 PF_RING >>>>>> driver, transparent_mode 2. >>>>>> Ntop was working fine before I set up PF_RING with it, now it >>>>>> segfaults after 15 or so minutes. >>>>>> >>>>>> Version 4.1.1 >>>>>> >>>>>> Thu Sep 29 10:19:28 2011 CHKVER: Checking current ntop version at >>>>>> version.ntop.org/version.xml >>>>>> Thu Sep 29 10:19:29 2011 CHKVER: Version file is from ' >>>>>> version.ntop.org' >>>>>> Thu Sep 29 10:19:29 2011 CHKVER: as of date is '2011-08-15T11:00:47' >>>>>> Thu Sep 29 10:19:29 2011 CHKVER: This version of ntop is the current >>>>>> DEVELOPMENT version - Expect the unexpected! >>>>>> Thu Sep 29 10:19:33 2011 THREADMGMT[t140560248346368]: RRD: Started >>>>>> thread for throughput data collection >>>>>> Thu Sep 29 10:19:33 2011 THREADMGMT[t140560311432960]: RRD: Data >>>>>> collection thread running [p30057] >>>>>> Thu Sep 29 10:19:33 2011 THREADMGMT[t140560248346368]: RRD: >>>>>> Throughput data collection: Thread starting [p30057] >>>>>> Thu Sep 29 10:19:33 2011 THREADMGMT[t140560248346368]: RRD: >>>>>> Throughput data collection: Thread running [p30057] >>>>>> Thu Sep 29 10:29:29 2011 NOTE: -L | --use-syslog=facility not >>>>>> specified, child processes will log to the default (24). >>>>>> ./ntop.sh: line 1: 30057 Segmentation fault ntop -u ntop >>>>>> --access-log-file=/var/log/ntop/access.log -b -C >>>>>> --output-packet-path=/var/log/ntop --local-subnets >>>>>> 192.168.1.0/24,192.168.11.0/24,192.168.66.0/24 -o -M -p >>>>>> /etc/ntop/protocol.list -i br0,eth0,eth1,eth2,eth3,eth4 -O /var/log/ntop >>>>>> >>>>>> I load ntop with that ntop.sh script, which is just my ntop options >>>>>> and parameters. >>>>>> I don't know if this is a bug in the development version or if I'm >>>>>> doing something wrong. >>>>>> >>>>>> Let me know if I should try a different version. >>>>>> >>>>>> Thanks >>>>>> -- >>>>>> - Jon >>>>>> -- >>>>>> ------------------------------------------------------------------ >>>>>> >>>>>> VMB: 812-682-0231 >>>>>> >>>>>> Dubois County Linux User Group - http://www.dclinux.org >>>>>> Southern Indiana Computer Klub - http://sickbits.networklabs.org >>>>>> Bloomington FOOLS - http://www.bloomingtonfools.org/ >>>>>> BloomingLabs - http://www.bloominglabs.org >>>>>> ISSA-Kentuckiana - http://issa-kentuckiana.org >>>>>> >>>>>> GPG Key ID: 810903CB >>>>>> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> - Jon >>>>> -- >>>>> ------------------------------------------------------------------ >>>>> >>>>> VMB: 812-682-0231 >>>>> >>>>> Dubois County Linux User Group - http://www.dclinux.org >>>>> Southern Indiana Computer Klub - http://sickbits.networklabs.org >>>>> Bloomington FOOLS - http://www.bloomingtonfools.org/ >>>>> BloomingLabs - http://www.bloominglabs.org >>>>> ISSA-Kentuckiana - http://issa-kentuckiana.org >>>>> >>>>> GPG Key ID: 810903CB >>>>> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >>>>> >>>>> >>>> >>>> >>>> -- >>>> - Jon >>>> -- >>>> ------------------------------------------------------------------ >>>> >>>> VMB: 812-682-0231 >>>> >>>> Dubois County Linux User Group - http://www.dclinux.org >>>> Southern Indiana Computer Klub - http://sickbits.networklabs.org >>>> Bloomington FOOLS - http://www.bloomingtonfools.org/ >>>> BloomingLabs - http://www.bloominglabs.org >>>> ISSA-Kentuckiana - http://issa-kentuckiana.org >>>> >>>> GPG Key ID: 810903CB >>>> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >>>> >>>> >>> >>> >>> -- >>> - Jon >>> -- >>> ------------------------------------------------------------------ >>> >>> VMB: 812-682-0231 >>> >>> Dubois County Linux User Group - http://www.dclinux.org >>> Southern Indiana Computer Klub - http://sickbits.networklabs.org >>> Bloomington FOOLS - http://www.bloomingtonfools.org/ >>> BloomingLabs - http://www.bloominglabs.org >>> ISSA-Kentuckiana - http://issa-kentuckiana.org >>> >>> GPG Key ID: 810903CB >>> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >>> >>> >>> _______________________________________________ >>> Ntop mailing >>> [email protected]http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >> >> >> -- >> - Jon >> -- >> ------------------------------------------------------------------ >> >> VMB: 812-682-0231 >> >> Dubois County Linux User Group - http://www.dclinux.org >> Southern Indiana Computer Klub - http://sickbits.networklabs.org >> Bloomington FOOLS - http://www.bloomingtonfools.org/ >> BloomingLabs - http://www.bloominglabs.org >> ISSA-Kentuckiana - http://issa-kentuckiana.org >> >> GPG Key ID: 810903CB >> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >> >> >> _______________________________________________ >> Ntop mailing >> [email protected]http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> > > > -- > - Jon > -- > ------------------------------------------------------------------ > > VMB: 812-682-0231 > > Dubois County Linux User Group - http://www.dclinux.org > Southern Indiana Computer Klub - http://sickbits.networklabs.org > Bloomington FOOLS - http://www.bloomingtonfools.org/ > BloomingLabs - http://www.bloominglabs.org > ISSA-Kentuckiana - http://issa-kentuckiana.org > > GPG Key ID: 810903CB > Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB > > -- - Jon -- ------------------------------------------------------------------ VMB: 812-682-0231 Dubois County Linux User Group - http://www.dclinux.org Southern Indiana Computer Klub - http://sickbits.networklabs.org Bloomington FOOLS - http://www.bloomingtonfools.org/ BloomingLabs - http://www.bloominglabs.org ISSA-Kentuckiana - http://issa-kentuckiana.org GPG Key ID: 810903CB Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
