Menu

#77 natevent is not working

git version
open
ABC
nel (1)
5
2017-03-03
2015-03-23
Sonny
No

natevents is not working !!
ipt_NETFLOW 2.1, srcversion 89556420DEF91883C3D504B; dir mac nel
Protocol version 9 (netflow), refresh-rate 20, timeout-rate 30, (templates 8, active 8).
Timeouts: active 15s, inactive 15s. Maxflows 2000000
Natevents enabled, count start 0, stop 0.
Flows: active 0 (peak 133 reached 0d0h46m ago), mem 625K, worker delay 100/1000 [1..100] (48 ms, 0 us, 0:0 [cpu0]).
Hash: size 160000 (mem 625K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0.
Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 58 bps, 0 pps; 5 min: 522 bps, 0 pps
cpu# pps; <search found="" new="" <span="">[metric], trunc frag alloc maxflows>, traffic: <pkt, bytes="">, drop: <pkt, bytes="">
Total 0; 0 3115 770 [1.00], 0 0 0 0, traffic: 3885, 1 MB, drop: 0, 0 K
cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K
cpu1 0; 0 1695 392 [1.00], 0 0 0 0, traffic: 2087, 0 MB, drop: 0, 0 K
cpu2 0; 0 1420 378 [1.00], 0 0 0 0, traffic: 1798, 1 MB, drop: 0, 0 K
cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K
Export: Rate 0 bytes/s; Total 98 pkts, 0 MB, 770 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows.
sock0: 192.168.71.231:2000, sndbuf 110592, filled 0, peak 1692; err: sndbuf reached 0, connect 0, cberr 3, other 0

Natevents enabled, count start 0, stop 0. << count always is 0.

my kernel : 2.6.30
iptables :1.4.10

i have enable natevents in configure.

in my nfdump can't see any information too .
Is any too can help Troubleshooting?

Discussion

  • ABC

    ABC - 2015-03-23

    Does this server perform nat translation or it's performed on other server?

     
  • Sonny

    Sonny - 2015-03-24

    Is in this server perform nat .
    And i have enable IMQ, pppoe-server in this server .

     
  • ABC

    ABC - 2015-03-24

    Can you install conntrack-tools (you may have it in your distro), then run conntrack -E and observe if there is events going on.

     
  • Sonny

    Sonny - 2015-03-25

    After install contract-tools

    this is the message
    [NEW] icmp 1 30 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 [UNREPLIED] src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1
    [UPDATE] icmp 1 30 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1
    [DESTROY] icmp 1 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 packets=1 bytes=60 src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1 packets=1 bytes=60

    my distro is Fedora 11
    also i have update package as below
    libnfnetlink
    libmnl
    libnetfilter_conntrack-1.0.4
    libnetfilter_queue-1.0.2.tar.bz2
    libnetfilter_cttimeout-1.0.0
    libnetfilter_cthelper-1.0.0.tar

    But when i reboot , conntrack -E will not display any message , before i run iptstate.

    ipt_NETFLOW 2.1, srcversion 89556420DEF91883C3D504B; dir mac nel
    Protocol version 9 (netflow), refresh-rate 20, timeout-rate 30, (templates 26, active 9).
    Timeouts: active 15s, inactive 15s. Maxflows 2000000
    Natevents enabled, count start 0, stop 0.
    Flows: active 116 (peak 358 reached 0d0h16m ago), mem 640K, worker delay 100/1000 [1..100] (86 ms, 0 us, 93:0 [cpu2]).

    Natevents counter still 0

     
  • ABC

    ABC - 2015-04-01
    • labels: --> nel
    • assigned_to: ABC
     
  • ABC

    ABC - 2015-04-01

    Thanks! This is rather strange. I will think about it.

     
    • Sonny

      Sonny - 2016-05-10

      I am give up for Fedora .
      Right now use Centos 6 + ipt_netflow + nfsen+ nfdump

      ipt_netflow and nat event is working

      ipt_NETFLOW 2.1, srcversion 89556420DEF91883C3D504B; dir llist nel
      Protocol version 9 (netflow), refresh-rate 20, timeout-rate 30, (templates 7, active 7).
      Timeouts: active 1800s, inactive 15s. Maxflows 1048576
      Natevents enabled, count start 541916, stop 533890.
      Flows: active 4681 (peak 8597 reached 0d0h2m ago), mem 5851K, worker delay 100/1000 [1..100] (66 ms, 0 us, 284:0 0 [cpu5]).
      Hash: size 655360 (mem 5120K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 4052284 pkt, 3751138 K, InPDU 84, 17580.
      Rate: 117368358 bits/sec, 15080 packets/sec; Avg 1 min: 118310168 bps, 15548 pps; 5 min: 128957579 bps, 16698 pps
      cpu#     pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes>
      Total  15079; 634867 164423542 1737160 [1.00],    0    0    0    0, traffic: 166160702, 153082 MB, drop: 0, 0 K
      cpu0    5852; 300075 75799203 509485 [1.00],    0    0    0    0, traffic: 76308688, 108898 MB, drop: 0, 0 K
      cpu1       0;      0     19      2 [1.00],    0    0    0    0, traffic: 21, 0 MB, drop: 0, 0 K
      cpu2    3788;  64827 24325931 362902 [1.00],    0    0    0    0, traffic: 24688833, 35641 MB, drop: 0, 0 K
      cpu3       0;      0    198      0 [1.00],    0    0    0    0, traffic: 198, 0 MB, drop: 0, 0 K
      cpu4       0;      0      8      0 [1.00],    0    0    0    0, traffic: 8, 0 MB, drop: 0, 0 K
      cpu5      11;    832  83159      6 [1.00],    0    0    0    0, traffic: 83165, 113 MB, drop: 0, 0 K
      cpu6       0;      8    282    685 [1.00],    0    0    0    0, traffic: 967, 0 MB, drop: 0, 0 K
      cpu7    5428; 269125 64214742 864080 [1.00],    0    0    0    0, traffic: 65078822, 8428 MB, drop: 0, 0 K
      Export: Rate 16438 bytes/s; Total 83161 pkts, 111 MB, 2808281 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows.
      sock0: 192.168.71.231:2052, sndbuf 16777216, filled 1, peak 17105; err: sndbuf reached 0, connect 0, cberr 0, other 0
      

      But in nfsen only some flow have show public ip address.

      2016-05-10 15:39:59.944 CREATE  Ignore TCP      172.17.82.135:57841 ->   203.145.115.xx:1935     43.2xx.47.2xx:57841 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:40:00.007 CREATE  Ignore TCP      172.17.82.135:57842 ->   203.145.115.xx:1935     43.2xx.47.2xx:57842 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:39:37.846 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57810          0.0.0.0:0     ->          0.0.0.0:0          748        0
      2016-05-10 15:39:37.842 INVALID  Ignore TCP      172.17.82.135:57810 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0          830        0
      2016-05-10 15:40:05.261 DELETE  Ignore TCP      172.17.82.135:57612 ->   203.145.115.xx:1935     43.2xx.47.2xx:57612 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:40:09.879 DELETE  Ignore TCP      172.17.82.135:57626 ->   203.145.115.xx:1935     43.2xx.47.2xx:57626 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:40:10.952 CREATE  Ignore TCP      172.17.82.135:57846 ->   203.145.115.xx:1935     43.2xx.47.2xx:57846 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:40:10.972 CREATE  Ignore TCP      172.17.82.135:57847 ->   203.145.115.xx:1935     43.2xx.47.2xx:57847 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:40:11.038 CREATE  Ignore TCP      172.17.82.135:57848 ->   203.145.115.xx:1935     43.2xx.47.2xx:57848 ->   203.145.115.xx:1935         0        0
      2016-05-10 15:39:47.951 INVALID  Ignore TCP      172.17.82.135:57832 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0          830        0
      2016-05-10 15:39:48.863 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57832          0.0.0.0:0     ->          0.0.0.0:0          748        0
      2016-05-10 15:39:37.861 INVALID  Ignore TCP      172.17.82.135:57811 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0         2810        0
      2016-05-10 15:39:37.866 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57811          0.0.0.0:0     ->          0.0.0.0:0        86535        0
      

      Look Like not send out every thing ?

       
  • ABC

    ABC - 2016-05-10

    ipt-netflow sends everything, but what is shown by nfsen I don't know. You may verify with wireshark capture of netflow traffic and check if missed data is there.

     
    • Sonny

      Sonny - 2016-05-19

      I think i ask wrong qustion.

      I mean only Event CREATE / DELETE Will show nat ip address ,
      but If event is INVALID will not show nat ip address.

      nfdump filter:
      IP 172.17.80.249 AND SRC PORT 2279
      Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
      2016-05-18 20:49:58.664 CREATE  Ignore TCP      172.17.80.249:2279  ->  111.111.111.111:80       43.xxx.47.231:2279  ->  111.111.111.111:80           0        0
      2016-05-18 20:49:57.979 INVALID  Ignore TCP      172.17.80.249:2279  ->  111.111.111.111:80             0.0.0.0:0     ->          0.0.0.0:0          104        0
      2016-05-18 20:52:01.667 DELETE  Ignore TCP      172.17.80.249:2279  ->  111.111.111.111:80       43.xxx.47.231:2279  ->  111.111.111.111:80           0        0
      
       
  • ABC

    ABC - 2016-05-19

    I don't know what is "INVALID" event. There is no such events in netflow/nel. I think this may be problem of nfsen or, likely, your interpretation of nfsel output. You can analyze raw netflow packets with wireshark. Also, note that NEL flows does not report traffic counters, but your 'invalid' line contains 'In Byte' vith value '104'.

     
  • pingping

    pingping - 2017-03-03

    with ./configure --enable-natevents option, error message while compiling...

    make -C /tmp/bering-uclibc/source/linux/linux-i686 M=/tmp/bering-uclibc/source/iptables/ipt-netflow-master modules CONFIG_DEBUG_INFO=y
    make[2]: Entering directory /tmp/bering-uclibc/source/linux/linux-i686' make -C /tmp/bering-uclibc/source/linux/linux-2.6.35.14 O=/tmp/bering-uclibc/source/linux/linux-i686/. modules /tmp/bering-uclibc/source/linux/linux-2.6.35.14/arch/x86/Makefile:81: stack protector enabled but no compiler support CC [M] /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.o /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c: In function 'register_ct_events': /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c:5309: error: implicit declaration of function 'ref_module' /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c: In function 'ipt_netflow_init': /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c:5429: warning: format '%lu' expects type 'long unsigned int', but argument 3 has type 'unsigned int' make[5]: *** [/tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.o] Error 1 make[4]: *** [_module_/tmp/bering-uclibc/source/iptables/ipt-netflow-master] Error 2 make[3]: *** [sub-make] Error 2 make[2]: *** [all] Error 2 make[2]: Leaving directory/tmp/bering-uclibc/source/linux/linux-i686'
    make[1]: *** [ipt_NETFLOW.ko] Error 2
    make[1]: Leaving directory /tmp/bering-uclibc/source/iptables/ipt-netflow-master' make: *** [ipt-netflow-master/.build] Error 1 make: Leaving directory/tmp/bering-uclibc/source/iptables'

    without --enable-natevents option, it seems ok.

    any ideas?

     

    Last edit: pingping 2017-03-03

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.