Menu
▾
▴
Re: [Openfpc-users] BPF filter
|
From: Leon W. <leo...@gm...> - 2015-09-11 09:46:42
|
Everything there looks like it should be working. What is the contents of /var/filter.bpf? $ cat /var/filter.bpf -L > On 10 Sep 2015, at 20:23, Igor Kaplan <igo...@gm...> wrote: > > Hi Leon, > > Here is the output which you asked: > > - openfpc-daemonlogger is /usr/bin/daemonlogger > BPF file: /var/filter.bpf > Using BPF > DEBUG: Found BPF file /var/filter.bpf - openfpc-daemonlogger is /usr/bin/daemonlogger > BPF file: /var/filter.bpf > Using BPF > DEBUG: Found BPF file /var/filter.bpfStopping Daemonlogger... Done > - openfpc-daemonlogger is /usr/bin/daemonlogger > BPF file: /var/filter.bpf > Using BPF > DEBUG: Found BPF file /var/filter.bpfDEBUG: Command used to start daemonlogger is > /usr/bin/daemonlogger -d -f /var/filter.bpf -i eth1 -l /var/tmp/openfpc/pcap -M 50 -s 1G -p openfpc-daemonlogger.pid -P /var/run/openfpc-Default_Node -n openfpc-Default_Node.pcap -u openfpc -g openfpc 2>&1 | logger -t OFPC-DL-Default_Node > Starting Daemonlogger (Default_Node)... > DEBUG: Touching a canary file to check if DL needs to delete something at startup:/var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.0 > Done > DEBUG: canary file still here (good)# BPF_FILE: An optional BPF filter to use while capturing traffic. > > grep BPF_FILE /etc/openfpc/*.conf > BPF_FILE=/var/filter.bpf > > ps aux |grep daemonlogger > openfpc 31867 0.0 0.1 19252 4304 ? Ss 15:06 0:00 /usr/bin/daemonlogger -d -f /var/filter.bpf -i eth1 -l /var/tmp/openfpc/pcap -M 50 -s 1G -p openfpc-daemonlogger.pid -P /var/run/openfpc-Default_Node -n openfpc-Default_Node.pcap -u openfpc -g openfpc > root 31894 0.0 0.0 10468 2136 pts/0 S+ 15:08 0:00 > > And here is the syslog > > Sep 10 15:06:22 ikaplan-DH-2 daemonlogger[1724]: Quitting! > Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: sniffing on interface eth1 > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Checking partition stats for log directory "/var/tmp/openfpc/pcap/." > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: 50% max disk utilization = 1885056 blocks free (out of 3770112) > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Blocksize = 4096 > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Rollsize = 262144 blocks > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Daemon mode set > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Reading BPF filter in from file /var/filter.bpf > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Setting group ID to openfpc > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Interface set to eth1 > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Logpath set to /var/tmp/openfpc/pcap > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Log filename set to "openfpc-Default_Node.pcap" > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pidfile configured to "openfpc-daemonlogger.pid" > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pidpath configured to "/var/run/openfpc-Default_Node" > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Rollover configured for 1 gigabytes > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Rollover configured for 0 none > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Setting user ID to openfpc > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pruning behavior set to oldest IN DIRECTORY > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: -*> DaemonLogger <*- > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Version 1.2.1 > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: By Martin Roesch > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved > Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: > Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: start_sniffing() device eth1 network lookup: #011eth1: no IPv4 address assigned > Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: Logging packets to /var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1441911983 > > > Please let me know if there any other tests I should make. > > Many thanks!!! > > Igor. > > From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward > Sent: Thursday, September 10, 2015 2:41 PM > To: Igor Kaplan > Cc: <ope...@li...> > Subject: Re: BPF filter > > Okay, so just tested it and it looked like it works for me... > > Can you please send the output of.... > > $ sudo openfpc -v -t openfpc-daemonlogger -a restart > $ grep BPF_FILE /etc/openfpc/*.conf > $ ps aux |grep daemonlogger > > There should also be a chunk of data about daemonlogger in your syslog... > > > > > > On Tue, Sep 8, 2015 at 4:14 PM, Igor Kaplan <igo...@gm...> wrote: > Leon, > > Thanks so much, really appreciate! > > From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward > Sent: Tuesday, September 08, 2015 9:44 AM > To: Igor Kaplan > Cc: <ope...@li...> > Subject: Re: BPF filter > > Will take a look, can't from where I am right now. > Its likely that I've broken something years back, It used to work as I once used it a lot myself, but no longer. > > On Tue, Sep 8, 2015 at 2:42 PM, Igor Kaplan <igo...@gm...> wrote: > Hi Leon, > > I am still having problems with the input bpf filter. I wonder, if you > could please answer my question below. > Not sure, if I am doing everything correctly, however as my best > understanding, I do. > > Many thanks. > > -Igor. > > -----Original Message----- > From: Igor Kaplan [mailto:igo...@gm...] > Sent: Friday, August 28, 2015 4:32 PM > To: 'Leon Ward' > Cc: ope...@li... > Subject: BPF filter > > Hi Leon, > > Not sure, if I am doing everything correctly, however my BPF filter in > openfpc-default.conf does not look to be working. > I have a line in my openfpc-default.conf: > BPF_File=/var/filter.bpf > > While starting openfpc -a start --verbose I am able to see, the proper bpf > file is found and loaded. > > My filter.bpf is very simple: > Port 502 > > So it should capture packets from port 502 only > > However after fetching the data I still see packets from other ports. > > I wonder, do I understand correctly, the BPF_FILE in the config file will > restrict, which packets are captured? So using the bpf file as above I > should not see any packets from other ports beside 502? Or it is something > different? > > Many thanks and have a nice weekend! > > -Igor > > -----Original Message----- > From: Leon Ward [mailto:leo...@gm...] On Behalf Of Leon Ward > Sent: Tuesday, August 25, 2015 4:59 PM > To: Igor Kaplan > Cc: <ope...@li...> > Subject: Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4 > > That's where the pcaps should live, and they will grow to the max percentage > that you allow in the node config. > > What does an openfpc-client -a status show? > > Also what's a df -h look like? > > The pcaps will auto-prune unless something has gone wrong along the way.... > > Thinking out loud, what's an ls of your pcaps directory look like? Have you > got multiple nodes running on one box? > > -L > > Sent from a mobile device. Apologies for any typos but they happen. > > > On 25 Aug 2015, at 16:25, Igor Kaplan <igo...@gm...> wrote: > > > > Hi Leon, > > > > Could you please help me with following. > > I am running openfpc for several days already and now I am out of > > space on my Ubuntu box which runs openfpc Under /var/tmp/openfpc I see > > directories, some of which contain number of large files: > > api-pcaps extracted pcap session > > > > I wonder, can I safely delete data under any of those directories above? > > Could you please let me know, which directory I can empty without > > breaking openfpc functionality? > > > > Is there any way to clean all captured data and start fresh? > > > > Many thanks. > > > > -Igor. > > > > > > -----Original Message----- > > From: ope...@li... > > [mailto:ope...@li...] > > Sent: Thursday, August 20, 2015 8:01 PM > > To: ope...@li... > > Subject: Openfpc-users Digest, Vol 2, Issue 4 > > > > Send Openfpc-users mailing list submissions to > > ope...@li... > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > or, via email, send a message with subject or body 'help' to > > ope...@li... > > > > You can reach the person managing the list at > > ope...@li... > > > > When replying, please edit your Subject line so it is more specific > > than > > "Re: Contents of Openfpc-users digest..." > > > > > > Today's Topics: > > > > 1. Re: Openfpc usage (Igor Kaplan) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Thu, 20 Aug 2015 20:01:08 -0400 > > From: "Igor Kaplan" <igo...@gm...> > > Subject: Re: [Openfpc-users] Openfpc usage > > To: <ope...@li...> > > Message-ID: <000c01d0dba4$7c3c9910$74b5cb30$@gmail.com> > > Content-Type: text/plain; charset="utf-8" > > > > Also sending my reply to the list, sorry, forgot to include it. > > > > > > > > > > > > From: Igor Kaplan [mailto:igo...@gm...] > > Sent: Thursday, August 20, 2015 6:44 PM > > To: 'Leon Ward' > > Subject: RE: [Openfpc-users] Openfpc usage > > > > > > > > Version of mergecap: > > > > Mergecap 1.10.6 (v1.10.6 from master-1.10) > > > > > > > > Linux is Ubuntu 14.04.2 LTS > > > > > > > > File list.pcap > > > > list.pcap: pcap-ng capture file - version 1.0 > > > > > > > > Thanks. > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Thursday, August 20, 2015 6:23 PM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > What's your platform, version of mergecap etc. > > > > Also, if you '$ file list.pcap' what does it say? > > > > > > > > -L > > > > > > > > > > > > On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, > > > > > > > > Need your help please once again. > > > > Got the following problem and spent several hours trying to solve it. > > > > > > > > When making the API call to fetch the pcap data I am getting the data > > in pcapng format. > > > > The OpenFPC is using the mergecap to merge pcap files and by default > > mergecap creates the output in pcapng format instead of pcap. > > > > > > > > I have changed the following line in openfpc-default.conf file > > > > MERGECAP=/usr/bin/mergecap -F pcap > > > > > > > > This helped when I use the openfpc-client command to create pcap > > files, however when I use curl to fetch the data I still receive the > > output in pcapng format. > > > > > > > > curl -k > > 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4C > > E8A48\ > > <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F > > -C061B > > 4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22> > > &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap > > > > > > > > cat list.pcap|tshark -i- > > > > Capturing on 'Standard input' > > > > tshark: Unrecognized libpcap format > > > > > > > > Looks like in case of API call the mergecap utility is not used at all. > > And I was not able to find in the code how merging is done in this case. > > > > > > > > Could you please help me. Is it possible to make the fetch API call > > to return the data in pcap format? > > > > > > > > Thanks so much! > > > > > > > > Igor > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Tuesday, August 18, 2015 1:29 PM > > > > > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Actually it wont. It will only remove the oldest PCAP file. It's best > > to keep those PCAP files on their own partition. > > > > The old flow records in mysql actually get removed automatically based > > on the oldest packet in the store. So you won't have records that are > > older than the pcaps. > > > > > > > > -L > > > > > > > > > > > > On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi Leon, all, > > > > > > > > I have one more question please. > > > > > > > > Based on the documentation the following line in the openfpc config > > file restricts the space usage of captured data to 50 percent: > > > > PCAP_SPACE=50 > > > > > > > > So, if the data size exceeds 50 percent old files will be deleted > > automatically? > > > > Will openfpc also delete the old MySQL session tables? > > > > > > > > Many thanks and all the best! > > > > > > > > -Igor. > > > > > > > > > > > > From: leo...@gm... [mailto:leo...@gm...] On Behalf > > Of Leon Ward > > Sent: Monday, August 17, 2015 11:51 AM > > To: Igor Kaplan > > Cc: ope...@li... > > Subject: Re: [Openfpc-users] Openfpc usage > > > > > > > > Hi, > > > > > > > > Documentation is really one of the places that really needs some extra > > focus. > > > > > > > > The best docs I can point you to are in that folder, plus there is > > some out-of date info on my blog http://www.leonward.com. > > > > I actually delivered a presentation at Defcon last weekend all about > > OpenFPC. I have forwarded the slides separately. Hopefully that will > > help as well. > > > > > > > > As for your specific question about OpenFPC GUI. That's actually now > > been deprecated as it's no longer relevant for how it functions in a > > distributed manner. The OpenFPC-Chrome Extension will be the next best > > thing for interacting with the QueueDaemon remotely in a GUI-like way. > > > > > > > > Cheers, > > > > > > > > -L > > > > > > > > > > > > > > > > On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...> > wrote: > > > > Hi All, > > > > > > > > My name is Igor. I just found the OpenFPC and evaluating it. Looks > > like it is very good tool. > > > > I successfully installed on Ubuntu 14.4 with Perl 5.18 > > > > I have installed the OpenFPC-master, so it is the latest code. > > > > > > > > Now I would like to find out if there is more documentation beside > > files which I could find under docs directory. > > > > For example the INSTALL.md refers to the USAGE document, however I > > was not able to find it anywhere > > > > > > > > I am looking for the usage other then basic, just to find out, what > > are my advanced options. > > > > > > > > For example the openfpc-dbmaint.sh script is also able to create the > > gui database, I wonder, what it is for? > > > > > > > > The OpenFPC looks to be very powerful, just would like to understand > > it as best as I can. > > > > > > > > Would so much appreciate any reply?s. > > > > > > > > Many thanks. > > > > > > > > Igor. > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was > > scrubbed... > > > > ------------------------------ > > > > ---------------------------------------------------------------------- > > ------ > > -- > > > > > > ------------------------------ > > > > _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > > > > End of Openfpc-users Digest, Vol 2, Issue 4 > > ******************************************* > > > > > > ---------------------------------------------------------------------- > > -------- _______________________________________________ > > Openfpc-users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openfpc-users > > > |
