Re: [Nfsen-discuss] Some problems with new snapshot
Netflow visualisation and investigation tool
Brought to you by:
phaag
From: Peter H. <ha...@sw...> - 2007-01-25 12:22:05
|
Hi Vojtec, I have no explanation so far. I need to dive into that. Give me some time when I'm back in the office. > Hi Peter, > thanks for help, > > Peter Haag napsal(a): >> Which is the old version you upgraded? The bookkeeper is not new to the >> snapshot. If you look at the log nfdump complains and teklls you which >> Process pid is running to collect data for this data directory. And this >> other process does actually run, as nfdump will check this. Could you >> please check which proces it is? How does your nfsen.conf look like? >> >> > We used nfsen-snapshot from october 2006, nfdump1.5.1. before. > This other proccesses are other collector for other sources, in complete > start log you can see: > > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28608]: Bound to IPv4 > host/IP: any, Port: 2054 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28608]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28608]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28610]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28611]: Bound to IPv4 > host/IP: any, Port: 60000 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28611]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28611]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28613]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28614]: Bound to IPv4 > host/IP: any, Port: 60003 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28614]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28614]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28616]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28617]: Bound to IPv4 > host/IP: any, Port: 60004 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28617]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28617]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28619]: Another > collector with pid 28613 is already running, and configured for > '/mnt/data/nfsen/profiles/live/kovesau9' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28619]: initialize > bookkeeper failed. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28620]: Bound to IPv4 > host/IP: any, Port: 60001 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28620]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28620]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28622]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28623]: Bound to IPv4 > host/IP: any, Port: 60006 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28623]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28623]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28625]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28626]: Bound to IPv4 > host/IP: any, Port: 60002 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28626]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28626]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28628]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28629]: Bound to IPv4 > host/IP: any, Port: 60009 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28629]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28629]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28631]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28632]: Bound to IPv4 > host/IP: any, Port: 60008 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28632]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28632]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28634]: Startup. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28635]: Bound to IPv4 > host/IP: any, Port: 2055 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28635]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28635]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28637]: Another > collector with pid 28622 is already running, and configured for > '/mnt/data/nfsen/profiles/live/flowmonPED9' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28637]: initialize > bookkeeper failed. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28638]: Bound to IPv4 > host/IP: any, Port: 60007 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28638]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28638]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28640]: Another > collector with pid 28625 is already running, and configured for > '/mnt/data/nfsen/profiles/live/testing3' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28640]: initialize > bookkeeper failed. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28641]: Bound to IPv4 > host/IP: any, Port: 60005 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28641]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28641]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28643]: Another > collector with pid 28628 is already running, and configured for > '/mnt/data/nfsen/profiles/live/cabernet9' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28643]: initialize > bookkeeper failed. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28644]: Bound to IPv4 > host/IP: any, Port: 60101 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28644]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28644]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28646]: Another > collector with pid 28634 is already running, and configured for > '/mnt/data/nfsen/profiles/live/kopr9' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28646]: initialize > bookkeeper failed. > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28647]: Bound to IPv4 > host/IP: any, Port: 60100 > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28647]: Standard > setsockopt, SO_RCVBUF is 109568 Requested length is 200000 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28647]: System set > setsockopt, SO_RCVBUF to 262142 bytes > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28649]: Another > collector with pid 28622 is already running, and configured for > '/mnt/data/nfsen/profiles/live/kopr5' > Jan 25 11:29:13 localhost /usr/local/bin/nfcapd[28649]: initialize > bookkeeper failed. > > So for example, source at port 60004 is blocked by collector with PID > 28613 -> and it is collector for source at port 60000. > A part of my nfsen.conf looks like: > %sources = ( > 'testing1' => { 'port' => '60000', 'col' => '#ff00ff' }, > 'testing2' => { 'port' => '60006', 'col' => '#FF66FF' }, > 'testing3' => { 'port' => '60007', 'col' => '#FF99FF' }, > 'testing4' => { 'port' => '60008', 'col' => '#FF0099' }, > 'kovesau' => { 'port' => '60001', 'col' => '#336600' }, > 'kovesau9' => { 'port' => '60004', 'col' => '#009900' }, > 'cabernet' => { 'port' => '60002', 'col' => '#330099' }, > 'cabernet9' => { 'port' => '60005', 'col' => '#3333CC' }, > 'flowmonPED' => { 'port' => '2054', 'col' => '#00FF00' }, > 'flowmonPED9' => { 'port' => '2055', 'col' => '#00CC00' }, > 'kopr5' => { 'port' => '60100', 'col' => '#FF6633' }, > 'kopr9' => { 'port' => '60101', 'col' => '#FFCC33' }, > 'jetel9'=> { 'port' => '60003', 'col' => '#3399FF' }, > 'jetel5'=> { 'port' => '60009', 'col' => '#99FFCC' }, > ); > >> So what does the logfile say? If a profile can not be updated, the >> reason >> is reported into the log file. >> >> > About this profile, I can see only this log messages: > > Jan 25 06:30:30 localhost nfsen[2680]: profile opts: > .#pajdak#2#flowmonPED#flowmonPED > Jan 25 06:30:30 localhost nfsen[2680]: profile opts: > .#pajdak#2#flowmonPED9#flowmonPED9 > Jan 25 06:30:32 localhost nfsen[2680]: Update profile pajdak in group . > Jan 25 06:30:36 localhost nfsen[2680]: Expire profile pajdak group . low > water mark: 0.9% > Jan 25 06:30:36 localhost nfsen[2680]: nfexpire: Include nfcapd > bookeeping record in /mnt/data/nfsen/profiles/./pajdak/flowmonPED > Jan 25 06:30:36 localhost nfsen[2680]: nfexpire: Include nfcapd > bookeeping record in /mnt/data/nfsen/profiles/./pajdak/flowmonPED9 > Jan 25 06:30:36 localhost nfsen[2680]: nfexpire: Expired files: 0 > Jan 25 06:30:36 localhost nfsen[2680]: nfexpire: Expired file size: 0 B > Jan 25 06:30:36 localhost nfsen[2680]: nfexpire: Expired time range: 0 sec > Jan 25 06:35:00 localhost /usr/local/bin/nfcapd[2639]: Ident: > 'flowmonPED' Flows: 3420, Packets: 37547, Bytes: 21594538, Sequence > Errors: 0, Bad Packets: 0 > > > Thanks! > Vojtec > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ |