Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
Open Source Full Packet Capture
Brought to you by:
leonward
Menu
▾
▴
Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
|
From: Leon W. <le...@rm...> - 2015-08-26 08:15:47
|
Ahhhh, If when you start daemonlogger you've already got less than the miniumum amount of space left bad things can happen. IIRC I did create a warning on startup to let you know, but it may have been missed if it started at boot time. So if your VM has < 50% of space all the time, up the max space to something like 80%. Once again, its always best to put the pcaps on a second partition so you can handle them without worrying about other files on the filesystem. -L On Tue, Aug 25, 2015 at 10:28 PM, Igor Kaplan <igo...@gm...> wrote: > Hi Leon, > > Thanks so much for your reply. > Actually what happened. > The total size of my vm is 16 GB. > The maximum allowed size in my config is 50 percent > PCAP_SPACE=50 > > However the size of /var/tmp/openfpc/pcap was 14 GB, much more then 50 > percent. > > Unfortunately I already cleaned everything since vm was not operational, so > not able to send the listing of pcap directory. > I am also for now don't use any bpf filters, however still, as I > understand, the size should not have grown more then 50 percent. And I am > using just the single openfpc node on that host. > > I'll watch the size growth in nearest future and see,. > > All the best. > > -Igor > > -----Original Message----- > From: Leon Ward [mailto:leo...@gm...] On Behalf Of Leon Ward > Sent: Tuesday, August 25, 2015 4:59 PM > To: Igor Kaplan > Cc: <ope...@li...> > Subject: Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4 > > That's where the pcaps should live, and they will grow to the max > percentage > that you allow in the node config. > > What does an openfpc-client -a status show? > > Also what's a df -h look like? > > The pcaps will auto-prune unless something has gone wrong along the way.... > > Thinking out loud, what's an ls of your pcaps directory look like? Have you > got multiple nodes running on one box? > > -L > > Sent from a mobile device. Apologies for any typos but they happen. > > > On 25 Aug 2015, at 16:25, Igor Kaplan <igo...@gm...> wrote: > > > > Hi Leon, > > > > Could you please help me with following. > > I am running openfpc for several days already and now I am out of > > space on my Ubuntu box which runs openfpc Under /var/tmp/openfpc I see > > directories, some of which contain number of large files: > > api-pcaps extracted pcap session > > > > I wonder, can I safely delete data under any of those directories above? > > Could you please let me know, which directory I can empty without > > breaking openfpc functionality? > > > > Is there any way to clean all captured data and start fresh? > > > > Many thanks. > > > > -Igor. > > > > > > -----Original Message----- > > From: ope...@li... > > [mailto:ope...@li...] > > Sent: Thursday, August 20, 2015 8:01 PM > > To: ope...@li... > > Subject: Openfpc-users Digest, Vol 2, Issue 4 > > > > Send Openfpc-users mailing list submissions to > > ope...@li... > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > or, via email, send a message with subject or body 'help' to > > ope...@li... > > > > You can reach the person managing the list at > > ope...@li... > > > > When replying, please edit your Subject line so it is more specific > > than > > "Re: Contents of Openfpc-users digest..." > > > > > > Today's Topics: > > > > 1. Re: Openfpc usage (Igor Kaplan) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Thu, 20 Aug 2015 20:01:08 -0400 > > From: "Igor Kaplan" <igo...@gm...> > > Subject: Re: [Openfpc-users] Openfpc usage > > To: <ope...@li...> > > Message-ID: <000c01d0dba4$7c3c9910$74b5cb30$@gmail.com> > > Content-Type: text/plain; charset="utf-8" > > > > Also sending my reply to the list, sorry, forgot to include it. > > > > > > > > > > > > From: Igor Kaplan [mailto:igo...@gm...] > > Sent: Thursday, August 20, 2015 6:44 PM > > To: 'Leon Ward' > > Subject: RE: [Openfpc-users] Openfpc usage > > > > > > > > Version of mergecap: > > > > Mergecap 1.10.6 (v1.10.6 from master-1.10) > > > > > > > > Linux is Ubuntu 14.04.2 LTS > > > > > > > > File list.pcap > > > > list.pcap: pcap-ng capture file - version 1.0 > > > > > > > > Thanks. > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Thursday, August 20, 2015 6:23 PM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > What's your platform, version of mergecap etc. > > > > Also, if you '$ file list.pcap' what does it say? > > > > > > > > -L > > > > > > > > > > > > On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, > > > > > > > > Need your help please once again. > > > > Got the following problem and spent several hours trying to solve it. > > > > > > > > When making the API call to fetch the pcap data I am getting the data > > in pcapng format. > > > > The OpenFPC is using the mergecap to merge pcap files and by default > > mergecap creates the output in pcapng format instead of pcap. > > > > > > > > I have changed the following line in openfpc-default.conf file > > > > MERGECAP=/usr/bin/mergecap -F pcap > > > > > > > > This helped when I use the openfpc-client command to create pcap > > files, however when I use curl to fetch the data I still receive the > > output in pcapng format. > > > > > > > > curl -k > > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4C > > E8A48\ > > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F > > -C061B > > 4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap > > > > > > > > cat list.pcap|tshark -i- > > > > Capturing on 'Standard input' > > > > tshark: Unrecognized libpcap format > > > > > > > > Looks like in case of API call the mergecap utility is not used at all. > > And I was not able to find in the code how merging is done in this case. > > > > > > > > Could you please help me. Is it possible to make the fetch API call > > to return the data in pcap format? > > > > > > > > Thanks so much! > > > > > > > > Igor > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Tuesday, August 18, 2015 1:29 PM > > > > > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Actually it wont. It will only remove the oldest PCAP file. It's best > > to keep those PCAP files on their own partition. > > > > The old flow records in mysql actually get removed automatically based > > on the oldest packet in the store. So you won't have records that are > > older than the pcaps. > > > > > > > > -L > > > > > > > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, all, > > > > > > > > I have one more question please. > > > > > > > > Based on the documentation the following line in the openfpc config > > file restricts the space usage of captured data to 50 percent: > > > > PCAP_SPACE=50 > > > > > > > > So, if the data size exceeds 50 percent old files will be deleted > > automatically? > > > > Will openfpc also delete the old MySQL session tables? > > > > > > > > Many thanks and all the best! > > > > > > > > -Igor. > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Monday, August 17, 2015 11:51 AM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Hi, > > > > > > > > Documentation is really one of the places that really needs some extra > > focus. > > > > > > > > The best docs I can point you to are in that folder, plus there is > > some out-of date info on my blog http://www.leonward.com. > > > > I actually delivered a presentation at Defcon last weekend all about > > OpenFPC. I have forwarded the slides separately. Hopefully that will > > help as well. > > > > > > > > As for your specific question about OpenFPC GUI. That's actually now > > been deprecated as it's no longer relevant for how it functions in a > > distributed manner. The OpenFPC-Chrome Extension will be the next best > > thing for interacting with the QueueDaemon remotely in a GUI-like way. > > > > > > > > Cheers, > > > > > > > > -L > > > > > > > > > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi All, > > > > > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks > > like it is very good tool. > > > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > > > I have installed the OpenFPC-master, so it is the latest code. > > > > > > > > Now I would like to find out if there is more documentation beside > > files which I could find under docs directory. > > > > For example the INSTALL.md refers to the USAGE document, however I > > was not able to find it anywhere > > > > > > > > I am looking for the usage other then basic, just to find out, what > > are my advanced options. > > > > > > > > For example the openfpc-dbmaint.sh script is also able to create the > > gui database, I wonder, what it is for? > > > > > > > > The OpenFPC looks to be very powerful, just would like to understand > > it as best as I can. > > > > > > > > Would so much appreciate any reply?s. > > > > > > > > Many thanks. > > > > > > > > Igor. > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was > > scrubbed... > > > > ------------------------------ > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > > > ------------------------------ > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > End of Openfpc-users Digest, Vol 2, Issue 4 > > ******************************************* > > > > > > ---------------------------------------------------------------------- > > -------- _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > |
