Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
Open Source Full Packet Capture
Brought to you by:
leonward
Menu
▾
▴
Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
|
From: Leon W. <le...@rm...> - 2015-08-26 08:13:19
|
Hi, It should sort itself out, however if it was a large DB it will use a delete action to cull the tables, that isn't ideal but will work. If it doesn't, let mw know and simply drop and recreate the db before restarting the openfpc. Check the size of the DB by using a status command, check the session count is shrinking to match the new size of the packets. Some of the time window calculations may be a little off while it's shrinking. The shrink will start ~10 minutes after the queue daemon starts up. IIRC it will write something to the logfile about waking up to trim. Something like.. $ sudo openfpc-dbmaint -a drop -t session -c /etc/openfpc/<nodename>.conf $ sudo openfpc-dbmaint -a create -t session -c /etc/openfpc/<nodename>.conf -L On Tue, Aug 25, 2015 at 10:17 PM, John York <Yo...@br...> wrote: > Related question: My /var/openfpc hard drive just failed. I've replace > the drive--do I need to do anything to the database? > > BTW--Love OpenFPC!!! > > John > > -----Original Message----- > From: Leon Ward [mailto:le...@rm...] > Sent: Tuesday, August 25, 2015 4:59 PM > To: Igor Kaplan <igo...@gm...> > Cc: <ope...@li...> < > ope...@li...> > Subject: Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4 > > That's where the pcaps should live, and they will grow to the max > percentage that you allow in the node config. > > What does an openfpc-client -a status show? > > Also what's a df -h look like? > > The pcaps will auto-prune unless something has gone wrong along the way.... > > Thinking out loud, what's an ls of your pcaps directory look like? Have > you got multiple nodes running on one box? > > -L > > Sent from a mobile device. Apologies for any typos but they happen. > > > On 25 Aug 2015, at 16:25, Igor Kaplan <igo...@gm...> wrote: > > > > Hi Leon, > > > > Could you please help me with following. > > I am running openfpc for several days already and now I am out of > > space on my Ubuntu box which runs openfpc Under /var/tmp/openfpc I see > > directories, some of which contain number of large files: > > api-pcaps extracted pcap session > > > > I wonder, can I safely delete data under any of those directories above? > > Could you please let me know, which directory I can empty without > > breaking openfpc functionality? > > > > Is there any way to clean all captured data and start fresh? > > > > Many thanks. > > > > -Igor. > > > > > > -----Original Message----- > > From: ope...@li... > > [mailto:ope...@li...] > > Sent: Thursday, August 20, 2015 8:01 PM > > To: ope...@li... > > Subject: Openfpc-users Digest, Vol 2, Issue 4 > > > > Send Openfpc-users mailing list submissions to > > ope...@li... > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > or, via email, send a message with subject or body 'help' to > > ope...@li... > > > > You can reach the person managing the list at > > ope...@li... > > > > When replying, please edit your Subject line so it is more specific > > than > > "Re: Contents of Openfpc-users digest..." > > > > > > Today's Topics: > > > > 1. Re: Openfpc usage (Igor Kaplan) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Thu, 20 Aug 2015 20:01:08 -0400 > > From: "Igor Kaplan" <igo...@gm...> > > Subject: Re: [Openfpc-users] Openfpc usage > > To: <ope...@li...> > > Message-ID: <000c01d0dba4$7c3c9910$74b5cb30$@gmail.com> > > Content-Type: text/plain; charset="utf-8" > > > > Also sending my reply to the list, sorry, forgot to include it. > > > > > > > > > > > > From: Igor Kaplan [mailto:igo...@gm...] > > Sent: Thursday, August 20, 2015 6:44 PM > > To: 'Leon Ward' > > Subject: RE: [Openfpc-users] Openfpc usage > > > > > > > > Version of mergecap: > > > > Mergecap 1.10.6 (v1.10.6 from master-1.10) > > > > > > > > Linux is Ubuntu 14.04.2 LTS > > > > > > > > File list.pcap > > > > list.pcap: pcap-ng capture file - version 1.0 > > > > > > > > Thanks. > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Thursday, August 20, 2015 6:23 PM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > What's your platform, version of mergecap etc. > > > > Also, if you '$ file list.pcap' what does it say? > > > > > > > > -L > > > > > > > > > > > > On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, > > > > > > > > Need your help please once again. > > > > Got the following problem and spent several hours trying to solve it. > > > > > > > > When making the API call to fetch the pcap data I am getting the data > > in pcapng format. > > > > The OpenFPC is using the mergecap to merge pcap files and by default > > mergecap creates the output in pcapng format instead of pcap. > > > > > > > > I have changed the following line in openfpc-default.conf file > > > > MERGECAP=/usr/bin/mergecap -F pcap > > > > > > > > This helped when I use the openfpc-client command to create pcap > > files, however when I use curl to fetch the data I still receive the > > output in pcapng format. > > > > > > > > curl -k > > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4C > > E8A48\ > > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F > > -C061B > > 4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap > > > > > > > > cat list.pcap|tshark -i- > > > > Capturing on 'Standard input' > > > > tshark: Unrecognized libpcap format > > > > > > > > Looks like in case of API call the mergecap utility is not used at all. > > And I was not able to find in the code how merging is done in this case. > > > > > > > > Could you please help me. Is it possible to make the fetch API call > > to return the data in pcap format? > > > > > > > > Thanks so much! > > > > > > > > Igor > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Tuesday, August 18, 2015 1:29 PM > > > > > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Actually it wont. It will only remove the oldest PCAP file. It's best > > to keep those PCAP files on their own partition. > > > > The old flow records in mysql actually get removed automatically based > > on the oldest packet in the store. So you won't have records that are > > older than the pcaps. > > > > > > > > -L > > > > > > > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, all, > > > > > > > > I have one more question please. > > > > > > > > Based on the documentation the following line in the openfpc config > > file restricts the space usage of captured data to 50 percent: > > > > PCAP_SPACE=50 > > > > > > > > So, if the data size exceeds 50 percent old files will be deleted > > automatically? > > > > Will openfpc also delete the old MySQL session tables? > > > > > > > > Many thanks and all the best! > > > > > > > > -Igor. > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Monday, August 17, 2015 11:51 AM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Hi, > > > > > > > > Documentation is really one of the places that really needs some extra > > focus. > > > > > > > > The best docs I can point you to are in that folder, plus there is > > some out-of date info on my blog http://www.leonward.com. > > > > I actually delivered a presentation at Defcon last weekend all about > > OpenFPC. I have forwarded the slides separately. Hopefully that will > > help as well. > > > > > > > > As for your specific question about OpenFPC GUI. That's actually now > > been deprecated as it's no longer relevant for how it functions in a > > distributed manner. The OpenFPC-Chrome Extension will be the next best > > thing for interacting with the QueueDaemon remotely in a GUI-like way. > > > > > > > > Cheers, > > > > > > > > -L > > > > > > > > > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi All, > > > > > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks > > like it is very good tool. > > > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > > > I have installed the OpenFPC-master, so it is the latest code. > > > > > > > > Now I would like to find out if there is more documentation beside > > files which I could find under docs directory. > > > > For example the INSTALL.md refers to the USAGE document, however I > > was not able to find it anywhere > > > > > > > > I am looking for the usage other then basic, just to find out, what > > are my advanced options. > > > > > > > > For example the openfpc-dbmaint.sh script is also able to create the > > gui database, I wonder, what it is for? > > > > > > > > The OpenFPC looks to be very powerful, just would like to understand > > it as best as I can. > > > > > > > > Would so much appreciate any reply?s. > > > > > > > > Many thanks. > > > > > > > > Igor. > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was > > scrubbed... > > > > ------------------------------ > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > > > ------------------------------ > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > End of Openfpc-users Digest, Vol 2, Issue 4 > > ******************************************* > > > > > > ---------------------------------------------------------------------- > > -------- _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Openfpc-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openfpc-users > |
