Re: [Nfsen-discuss] problem with more than 10 sources with the latest snapshot
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] problem with more than 10 sources with the latest snapshot
|
From: Peter H. <ha...@sw...> - 2006-08-10 07:40:14
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Yann,
I installed latest nfdump/nfsen snapshots on a debian Sarge laptop, and configured 20 sources. It runs perfectly well. I know Maurizio has even more on his installation.
You may do a test like this:
#!/bin/sh
for num in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
mkdir -p nftest/${num}
/usr/local/bin/nfcapd -w -D -I flows -p 123${num} -l nftest/${num} -P nftest/test-${num}.pid
sleep 1
done
Note on the number of Semaphores:
On an old FreeBSD-5.4 I have, there is a limit of 10 processes, which get startet. This is due to the max semaphore settings in the FreeBSD I have tested. But this is poperly reported in the syslog
file. I don't know, what decent FreeBSDs are configured for.
- Peter
- -------- Original Message --------
From: Yann Berthier <yb...@ba...>
To: Peter Haag <ha...@sw...>
Subject: Re:[Nfsen-discuss] problem with more than 10 sources with the latest snapshot
Date: Wed Aug 09 2006 16:53:22 GMT+0200 (CEST)
> On Wed, 09 Aug 2006, at 16:01, Peter Haag wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Yann,
>>
>> - -------- Original Message --------
>> From: Yann Berthier <yb...@ba...>
>> To: nfs...@li...
>> Subject: [Nfsen-discuss] problem with more than 10 sources with the latest snapshot
>> Date: Wed Aug 09 2006 13:53:51 GMT+0200 (CEST)
>>
>>> Hi Peter,
>>>
>>> It seems that i triggered a bug when trying to have more than 10
>>> sources, probably in the pid generation routine: nfcapd logs
>>> "Another collector with pid 6312 is already running, and configured
>>> for '/data/nfsen/profile/live/cat2'" at start time, so the nfcapd
>>> process for this source is not spawned
>>>
>>> Reproducable on another machine, another OS, with 12 sources:
>>>
>>> Shutdown nfcpad: 6:[8912] 11:[8917] 3:[8922] 7:[8927] 9:[8932]
>>> 12:[8937] 2:[8942] 8:[8947] 1:[8952] 4:[8957] 10:[no pid file found!]
>>> 5:[no pid file found!].
>>>
>>> i have not tried with older releases
>> Well it seems, as you really configured the same data directory '/data/nfsen/profile/live/cat2' twice:
>> nfcapd recognizes if there is already another process running, using the same data directory. It checks if, the other process is really running, or dead. This is not based on the pid file, but on
>> shared memory which nfcapd/nfexpire are using to communicate. ( IPC ).
>
> sorry, i supposed naively that - ok never mind
>
>> So in your case nfcapd really found this process running. I guess there is a configuration issue, or a process which is still hanging around for some reason. Stop all nfcapd processes and check in the
>> ps output, if really all nfcapd collectors stopped. There should be no more shared memory segements allocated.
>
> I can confirm that no shared memory segments are left behind when i
> stop nfsen, no process, no nothing, nada
>
> so, same test on a gnu-linux-fedora-whatever-fc4 machine and a
> freebsd-current box. Well, almost: 11 sources there, 12 here
>
> i have x unique sources declared. I can confirm that after starting
> nfsen, along with some error messages at start time, like pasted in
> my previous mail, or each 5 minutes, like below:
>
> "Expected file not found:
> /data/nfsen/profiles/live/5//nfcapd.200608091625"
>
> i have no more than 10 shms on both machines owned by my nfsen user,
> and i have no more than 10 udp sockets for nfsen, and no nfcapd
> processes for the cursed sources (so one for the 11 sources case, and
> 2 for the 12 sources case)
>
> if you have the clue bat ... in the meantime i'll dig around to see
> where i could have messed up something
>
> thanks,
>
> - yann
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Nfsen-discuss mailing list
> Nfs...@li...
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRNri0f5AbZRALNr/AQI4JwP/T27VQpU7s7jX+bhd3KNgTJvuZXw581W0
iqbi9hVJO/OHYul3VbCOIv+2kDT/bTAetiBf5VSafsxHjyRzeZV60fY0oAeIuvRX
8UHUCUt4S4au090+M8NjHhU7BbLoidFGAmvI63Q/YidpNbPb04ko0lHwLL/PHpKO
VP+BF4DjO+4=
=FWiO
-----END PGP SIGNATURE-----
|
