I did the installation of Debian with IPAudit and I put my server in my net. Next day IPAudit collapse and no traffic monitorized for several hours. I restart the server and I try to analysed the situation but is not possible for me to bring up IPAudit auto. Only manually. My knowledges about Debian ans IPAudit are not sufficient to solved the problem.
I choose to reinstall all from scratch. Here is in witch way I did that.
- I have a pc with 3 ethernet cards: one gig Broadcom and two Intel 100Mb.
- I install Debian 5.0.2: base pc, web server + desktop environment.
- After this, I install: php5, gcc, ntp, openssh-server (to access the server), gnuplot, libtime-modules-perl, autoconf, make, libcap0.8, libcap0.8-dev, libcap0.8-dbg, bison, flex.
- I install ipaudit-web 1.0BETA9
- I install for Apache2 UserDir module
- I change LOCALRANGE after my needs
- I change INTERFACE=eth1:eth2 (eth0 is the Broadcom gig ethernet card, and eth1 and eth2 are Intel 100Mb ethernet cards). I use eth0 only for ssh and this card have IPaddress.
- I change in /etc/network/interfaces: eth0 static with address, eth1 and eth2 manual without address (in promiscuous mode for safety reasons). I'm not sure why I have two 100Mb ethernet cards but the person who work previously in my place have in this way. Maybe I need only one 100Mb ethernet card.
Example from /etc/network/interfaces:
"allow-hotplug eth1
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc up
down ifconfig $IFACE 0.0.0.0 down
down ip link set $IFACE promisc down"
Do I need the last two rows? What did them means and do?
- I configure Apache2 server to use cgi-scripts (like in IPAudit install file). I did that only in /etc/apache2/apache2.conf. Do I need to make the same changes in other file/files, like httpd.conf for example?
- I change in /etc/hosts.allow and /etc/hosts.deny after my needs.
- I've change in /home/ipaudit/public_html/index.html name on my IPAudit server and I add some links to other IPAudit servers (I have 3 totally).
All seams to works well for now. But way my IPAudit crash?
In witch way do I can use tcpdump or ethereal to sniff the interface?
Do I need to make something else? Something more?
Should to be possible to install an Intel gig ethernet card instead for my Broadcom ethernet card? Sometimes I have much traffic in my net and a 100Mb ethernet card is not enough.
I know I have so many questions but be patient with me and try to help me so much you can. I try to solve this problem in more then 3 weeks now.
Best regards,
Bicado.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is a good time to test with tcpdump, since ipaudit won't restart.
Install tcpdump (it's a standard package), and as root run this command
tcpdump -i INTF -nn
where INTF is the name of your gigabit interface, the same name that you pass to ipaudit. It's probably something like eth0, eth1, etc.
If you tcpdump also crashes, then the problem is with the driver for your gigabit network card. You might be able to get a new driver to prevent this problem. If tcpdump runs, it will print packet info, one line per packet. Experiment with your working interfaces to see what it does.
Also, if your driver crashed, you can do 'lsmod' to see if it is still installed (I don't know the driver name, you may be able to recognize its name by the name of your card). If so, try removing and re-installing it
rmmod DRIVER
insmod DRIVER
otherwise you'll have to reboot your machine to continue.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Question: Is ipaudit listening on your 100Mb network cards, and not on your Gigabit network card? If so, I don't see why ipaudit is affected by your Gigabit card crashing.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, it's right: ipaudit listening on eth1 and eth2 (100Mb network cards). Just now I have only eth0 (the gig card) and eth2 connected to my net. The gig card it's only for to be able to access my pc through ssh. And only this have ip address.
I install tcpdump and test all cards. All three works well. It's only ipaudit who won't start when I restart the pc. When the clock is hole hour or 30 min past hole hour ipaudit starts. It won't start from the beginning. I don't understand why. This is not happening on the other two pc's with ipaudit.
What can I do to solve this problem, please? I lose to much from traffic when I restart my pc.
Now I have the old and new pc in parallel who monitorized the same traffic. Both works well and almost identical (the clocks on those two pc are not synchronised).
I have now a difference between the previous behaviour and now: before the "crush" ipaudit get a report on ~2 450 seconds and now I get a report on ~290 seconds. Also it works faster and before. My explanation is because now I have only one 100Mb card connected to my intranet and before two cards.
I've changed the colours in Graph* files and it's works fine. I have those colours I want to have.
Thanks for all help.
Best regards,
Bicado.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
One more thing. When I try to start manually ipaudit I get: "cannot open pidfile_m 'run/ipaudit.pid' ". Why is not possible to start it manually? ipaudit.pid have the following rigths: -rw-r--r--. I've try with "chmod 777 ipaudit.pid" but after restart it was in the same way.
Can I repair that?
BR,
Bicado
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You really shouldn't start ipaudit manually, it should be started by the cron job. Typing 'crontab -l' should show that ipaudit starts every half hour. If you are trying to start it manually, then it will interfere with the ipaudit instance run by the cron. Once you get everything working on your machine, then you should have to restart it. I've had ipaudit running months without restarting the host.
If you need to restart your machine because of the Gig card, then I think either your Gig card or Gig card driver is buggy. Maybe you could test it in another machine.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi there!
Here is my "problem".
I did the installation of Debian with IPAudit and I put my server in my net. Next day IPAudit collapse and no traffic monitorized for several hours. I restart the server and I try to analysed the situation but is not possible for me to bring up IPAudit auto. Only manually. My knowledges about Debian ans IPAudit are not sufficient to solved the problem.
I choose to reinstall all from scratch. Here is in witch way I did that.
- I have a pc with 3 ethernet cards: one gig Broadcom and two Intel 100Mb.
- I install Debian 5.0.2: base pc, web server + desktop environment.
- After this, I install: php5, gcc, ntp, openssh-server (to access the server), gnuplot, libtime-modules-perl, autoconf, make, libcap0.8, libcap0.8-dev, libcap0.8-dbg, bison, flex.
- I install ipaudit-web 1.0BETA9
- I install for Apache2 UserDir module
- I change LOCALRANGE after my needs
- I change INTERFACE=eth1:eth2 (eth0 is the Broadcom gig ethernet card, and eth1 and eth2 are Intel 100Mb ethernet cards). I use eth0 only for ssh and this card have IPaddress.
- I change in /etc/network/interfaces: eth0 static with address, eth1 and eth2 manual without address (in promiscuous mode for safety reasons). I'm not sure why I have two 100Mb ethernet cards but the person who work previously in my place have in this way. Maybe I need only one 100Mb ethernet card.
Example from /etc/network/interfaces:
"allow-hotplug eth1
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc up
down ifconfig $IFACE 0.0.0.0 down
down ip link set $IFACE promisc down"
Do I need the last two rows? What did them means and do?
- I configure Apache2 server to use cgi-scripts (like in IPAudit install file). I did that only in /etc/apache2/apache2.conf. Do I need to make the same changes in other file/files, like httpd.conf for example?
- I change in /etc/hosts.allow and /etc/hosts.deny after my needs.
- I've change in /home/ipaudit/public_html/index.html name on my IPAudit server and I add some links to other IPAudit servers (I have 3 totally).
All seams to works well for now. But way my IPAudit crash?
In witch way do I can use tcpdump or ethereal to sniff the interface?
Do I need to make something else? Something more?
Should to be possible to install an Intel gig ethernet card instead for my Broadcom ethernet card? Sometimes I have much traffic in my net and a 100Mb ethernet card is not enough.
I know I have so many questions but be patient with me and try to help me so much you can. I try to solve this problem in more then 3 weeks now.
Best regards,
Bicado.
Yes, Jon Rifkin. My ipaudit collapse again. I can't restart it.
I do not have tcpdump or wireshark installed on this pc. I don't know what I can do to make ipaudit stable.
Please help me!
Best regards,
Bicado.
This is a good time to test with tcpdump, since ipaudit won't restart.
Install tcpdump (it's a standard package), and as root run this command
tcpdump -i INTF -nn
where INTF is the name of your gigabit interface, the same name that you pass to ipaudit. It's probably something like eth0, eth1, etc.
If you tcpdump also crashes, then the problem is with the driver for your gigabit network card. You might be able to get a new driver to prevent this problem. If tcpdump runs, it will print packet info, one line per packet. Experiment with your working interfaces to see what it does.
Also, if your driver crashed, you can do 'lsmod' to see if it is still installed (I don't know the driver name, you may be able to recognize its name by the name of your card). If so, try removing and re-installing it
rmmod DRIVER
insmod DRIVER
otherwise you'll have to reboot your machine to continue.
I restart my pc 3 times and IPaudit don't start automatically. I try to start it manually but I forget the command.
I do not have pass to IPAudit my gigabit eth. This is eth0 and have ipaddress. I pass eth1 and eth2 who is in promiscuous mode both of them.
I start to install tcpdump and test like you said.
BR,
Bicado
How do I reinstall ipaudit if I need to do so? Without to lose my statistics, of course.
BR,
Bicado
Archive your data/ and report/ directories, and then after your re-install, copy them back.
Question: Is ipaudit listening on your 100Mb network cards, and not on your Gigabit network card? If so, I don't see why ipaudit is affected by your Gigabit card crashing.
Yes, it's right: ipaudit listening on eth1 and eth2 (100Mb network cards). Just now I have only eth0 (the gig card) and eth2 connected to my net. The gig card it's only for to be able to access my pc through ssh. And only this have ip address.
I install tcpdump and test all cards. All three works well. It's only ipaudit who won't start when I restart the pc. When the clock is hole hour or 30 min past hole hour ipaudit starts. It won't start from the beginning. I don't understand why. This is not happening on the other two pc's with ipaudit.
What can I do to solve this problem, please? I lose to much from traffic when I restart my pc.
Now I have the old and new pc in parallel who monitorized the same traffic. Both works well and almost identical (the clocks on those two pc are not synchronised).
I have now a difference between the previous behaviour and now: before the "crush" ipaudit get a report on ~2 450 seconds and now I get a report on ~290 seconds. Also it works faster and before. My explanation is because now I have only one 100Mb card connected to my intranet and before two cards.
I've changed the colours in Graph* files and it's works fine. I have those colours I want to have.
Thanks for all help.
Best regards,
Bicado.
One more thing. When I try to start manually ipaudit I get: "cannot open pidfile_m 'run/ipaudit.pid' ". Why is not possible to start it manually? ipaudit.pid have the following rigths: -rw-r--r--. I've try with "chmod 777 ipaudit.pid" but after restart it was in the same way.
Can I repair that?
BR,
Bicado
You really shouldn't start ipaudit manually, it should be started by the cron job. Typing 'crontab -l' should show that ipaudit starts every half hour. If you are trying to start it manually, then it will interfere with the ipaudit instance run by the cron. Once you get everything working on your machine, then you should have to restart it. I've had ipaudit running months without restarting the host.
If you need to restart your machine because of the Gig card, then I think either your Gig card or Gig card driver is buggy. Maybe you could test it in another machine.
OK. I understand what you mean.
When I start ipaudit manually did I broken something? If yes, it is possible to repair in a way.
Also is not possible to restart the pc and ipaudit start automatically, without delay?
Thanks for your help,
Bicado