Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
Open Source Full Packet Capture
Brought to you by:
leonward
Menu
▾
▴
Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
|
From: John Y. <Yo...@br...> - 2015-08-25 21:33:09
|
Related question: My /var/openfpc hard drive just failed. I've replace the drive--do I need to do anything to the database? BTW--Love OpenFPC!!! John -----Original Message----- From: Leon Ward [mailto:le...@rm...] Sent: Tuesday, August 25, 2015 4:59 PM To: Igor Kaplan <igo...@gm...> Cc: <ope...@li...> <ope...@li...> Subject: Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4 That's where the pcaps should live, and they will grow to the max percentage that you allow in the node config. What does an openfpc-client -a status show? Also what's a df -h look like? The pcaps will auto-prune unless something has gone wrong along the way.... Thinking out loud, what's an ls of your pcaps directory look like? Have you got multiple nodes running on one box? -L Sent from a mobile device. Apologies for any typos but they happen. > On 25 Aug 2015, at 16:25, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, > > Could you please help me with following. > I am running openfpc for several days already and now I am out of > space on my Ubuntu box which runs openfpc Under /var/tmp/openfpc I see > directories, some of which contain number of large files: > api-pcaps extracted pcap session > > I wonder, can I safely delete data under any of those directories above? > Could you please let me know, which directory I can empty without > breaking openfpc functionality? > > Is there any way to clean all captured data and start fresh? > > Many thanks. > > -Igor. > > > -----Original Message----- > From: ope...@li... > [mailto:ope...@li...] > Sent: Thursday, August 20, 2015 8:01 PM > To: ope...@li... > Subject: Openfpc-users Digest, Vol 2, Issue 4 > > Send Openfpc-users mailing list submissions to > ope...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/openfpc-users > or, via email, send a message with subject or body 'help' to > ope...@li... > > You can reach the person managing the list at > ope...@li... > > When replying, please edit your Subject line so it is more specific > than > "Re: Contents of Openfpc-users digest..." > > > Today's Topics: > > 1. Re: Openfpc usage (Igor Kaplan) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 Aug 2015 20:01:08 -0400 > From: "Igor Kaplan" <igo...@gm...> > Subject: Re: [Openfpc-users] Openfpc usage > To: <ope...@li...> > Message-ID: <000c01d0dba4$7c3c9910$74b5cb30$@gmail.com> > Content-Type: text/plain; charset="utf-8" > > Also sending my reply to the list, sorry, forgot to include it. > > > > > > From: Igor Kaplan [mailto:igo...@gm...] > Sent: Thursday, August 20, 2015 6:44 PM > To: 'Leon Ward' > Subject: RE: [Openfpc-users] Openfpc usage > > > > Version of mergecap: > > Mergecap 1.10.6 (v1.10.6 from master-1.10) > > > > Linux is Ubuntu 14.04.2 LTS > > > > File list.pcap > > list.pcap: pcap-ng capture file - version 1.0 > > > > Thanks. > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > Of Leon Ward > Sent: Thursday, August 20, 2015 6:23 PM > To: Igor Kaplan > Cc: ope...@li... > Subject: Re: [Openfpc-users] Openfpc usage > > > > What's your platform, version of mergecap etc. > > Also, if you '$ file list.pcap' what does it say? > > > > -L > > > > > > On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, > > > > Need your help please once again. > > Got the following problem and spent several hours trying to solve it. > > > > When making the API call to fetch the pcap data I am getting the data > in pcapng format. > > The OpenFPC is using the mergecap to merge pcap files and by default > mergecap creates the output in pcapng format instead of pcap. > > > > I have changed the following line in openfpc-default.conf file > > MERGECAP=/usr/bin/mergecap -F pcap > > > > This helped when I use the openfpc-client command to create pcap > files, however when I use curl to fetch the data I still receive the > output in pcapng format. > > > > curl -k > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4C > E8A48\ > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F > -C061B > 4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap > > > > cat list.pcap|tshark -i- > > Capturing on 'Standard input' > > tshark: Unrecognized libpcap format > > > > Looks like in case of API call the mergecap utility is not used at all. > And I was not able to find in the code how merging is done in this case. > > > > Could you please help me. Is it possible to make the fetch API call > to return the data in pcap format? > > > > Thanks so much! > > > > Igor > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > Of Leon Ward > Sent: Tuesday, August 18, 2015 1:29 PM > > > To: Igor Kaplan > Cc: ope...@li... > Subject: Re: [Openfpc-users] Openfpc usage > > > > Actually it wont. It will only remove the oldest PCAP file. It's best > to keep those PCAP files on their own partition. > > The old flow records in mysql actually get removed automatically based > on the oldest packet in the store. So you won't have records that are > older than the pcaps. > > > > -L > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, all, > > > > I have one more question please. > > > > Based on the documentation the following line in the openfpc config > file restricts the space usage of captured data to 50 percent: > > PCAP_SPACE=50 > > > > So, if the data size exceeds 50 percent old files will be deleted > automatically? > > Will openfpc also delete the old MySQL session tables? > > > > Many thanks and all the best! > > > > -Igor. > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > Of Leon Ward > Sent: Monday, August 17, 2015 11:51 AM > To: Igor Kaplan > Cc: ope...@li... > Subject: Re: [Openfpc-users] Openfpc usage > > > > Hi, > > > > Documentation is really one of the places that really needs some extra > focus. > > > > The best docs I can point you to are in that folder, plus there is > some out-of date info on my blog http://www.leonward.com. > > I actually delivered a presentation at Defcon last weekend all about > OpenFPC. I have forwarded the slides separately. Hopefully that will > help as well. > > > > As for your specific question about OpenFPC GUI. That's actually now > been deprecated as it's no longer relevant for how it functions in a > distributed manner. The OpenFPC-Chrome Extension will be the next best > thing for interacting with the QueueDaemon remotely in a GUI-like way. > > > > Cheers, > > > > -L > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> wrote: > > Hi All, > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks > like it is very good tool. > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > I have installed the OpenFPC-master, so it is the latest code. > > > > Now I would like to find out if there is more documentation beside > files which I could find under docs directory. > > For example the INSTALL.md refers to the USAGE document, however I > was not able to find it anywhere > > > > I am looking for the usage other then basic, just to find out, what > are my advanced options. > > > > For example the openfpc-dbmaint.sh script is also able to create the > gui database, I wonder, what it is for? > > > > The OpenFPC looks to be very powerful, just would like to understand > it as best as I can. > > > > Would so much appreciate any reply?s. > > > > Many thanks. > > > > Igor. > > > > > ---------------------------------------------------------------------- > ------ > -- > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > ---------------------------------------------------------------------- > ------ > -- > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > -------------- next part -------------- An HTML attachment was > scrubbed... > > ------------------------------ > > ---------------------------------------------------------------------- > ------ > -- > > > ------------------------------ > > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > End of Openfpc-users Digest, Vol 2, Issue 4 > ******************************************* > > > ---------------------------------------------------------------------- > -------- _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users ------------------------------------------------------------------------------ _______________________________________________ Openfpc-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openfpc-users |
