Menu
▾
▴
Re: [Openfpc-users] BPF filter
|
From: Igor K. <igo...@gm...> - 2015-09-11 13:23:35
|
Hi Leon,
Hmm, my filter.bpf is very simple:
Port 502
I would like only packets from and to port 502 to be captured.
Will try to run today another set of tests.
Have a nice weekend!
-Igor
From: Leon Ward [mailto:leo...@gm...]
Sent: Friday, September 11, 2015 5:46 AM
To: Igor Kaplan
Cc: <ope...@li...>
Subject: Re: BPF filter
Everything there looks like it should be working. What is the contents of /var/filter.bpf?
$ cat /var/filter.bpf
-L
On 10 Sep 2015, at 20:23, Igor Kaplan <igo...@gm...> wrote:
Hi Leon,
Here is the output which you asked:
- openfpc-daemonlogger is /usr/bin/daemonlogger
BPF file: /var/filter.bpf
Using BPF
DEBUG: Found BPF file /var/filter.bpf - openfpc-daemonlogger is /usr/bin/daemonlogger
BPF file: /var/filter.bpf
Using BPF
DEBUG: Found BPF file /var/filter.bpfStopping Daemonlogger... Done
- openfpc-daemonlogger is /usr/bin/daemonlogger
BPF file: /var/filter.bpf
Using BPF
DEBUG: Found BPF file /var/filter.bpfDEBUG: Command used to start daemonlogger is
/usr/bin/daemonlogger -d -f /var/filter.bpf -i eth1 -l /var/tmp/openfpc/pcap -M 50 -s 1G -p openfpc-daemonlogger.pid -P /var/run/openfpc-Default_Node -n openfpc-Default_Node.pcap -u openfpc -g openfpc 2>&1 | logger -t OFPC-DL-Default_Node
Starting Daemonlogger (Default_Node)...
DEBUG: Touching a canary file to check if DL needs to delete something at startup:/var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.0
Done
DEBUG: canary file still here (good)# BPF_FILE: An optional BPF filter to use while capturing traffic.
grep BPF_FILE /etc/openfpc/*.conf
BPF_FILE=/var/filter.bpf
ps aux |grep daemonlogger
openfpc 31867 0.0 0.1 19252 4304 ? Ss 15:06 0:00 /usr/bin/daemonlogger -d -f /var/filter.bpf -i eth1 -l /var/tmp/openfpc/pcap -M 50 -s 1G -p openfpc-daemonlogger.pid -P /var/run/openfpc-Default_Node -n openfpc-Default_Node.pcap -u openfpc -g openfpc
root 31894 0.0 0.0 10468 2136 pts/0 S+ 15:08 0:00
And here is the syslog
Sep 10 15:06:22 ikaplan-DH-2 daemonlogger[1724]: Quitting!
Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: sniffing on interface eth1
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Checking partition stats for log directory "/var/tmp/openfpc/pcap/."
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: 50% max disk utilization = 1885056 blocks free (out of 3770112)
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Blocksize = 4096
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Rollsize = 262144 blocks
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node:
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Daemon mode set
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Reading BPF filter in from file /var/filter.bpf
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Setting group ID to openfpc
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Interface set to eth1
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Logpath set to /var/tmp/openfpc/pcap
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Log filename set to "openfpc-Default_Node.pcap"
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pidfile configured to "openfpc-daemonlogger.pid"
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pidpath configured to "/var/run/openfpc-Default_Node"
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Rollover configured for 1 gigabytes
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Rollover configured for 0 none
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Setting user ID to openfpc
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: [-] Pruning behavior set to oldest IN DIRECTORY
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node:
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: -*> DaemonLogger <*-
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: Version 1.2.1
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: By Martin Roesch
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node: (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
Sep 10 15:06:23 ikaplan-DH-2 OFPC-DL-Default_Node:
Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: start_sniffing() device eth1 network lookup: #011eth1: no IPv4 address assigned
Sep 10 15:06:23 ikaplan-DH-2 daemonlogger[31867]: Logging packets to /var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1441911983
Please let me know if there any other tests I should make.
Many thanks!!!
Igor.
From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward
Sent: Thursday, September 10, 2015 2:41 PM
To: Igor Kaplan
Cc: <ope...@li...>
Subject: Re: BPF filter
Okay, so just tested it and it looked like it works for me...
Can you please send the output of....
$ sudo openfpc -v -t openfpc-daemonlogger -a restart
$ grep BPF_FILE /etc/openfpc/*.conf
$ ps aux |grep daemonlogger
There should also be a chunk of data about daemonlogger in your syslog...
On Tue, Sep 8, 2015 at 4:14 PM, Igor Kaplan <igo...@gm...> wrote:
Leon,
Thanks so much, really appreciate!
From: leo...@gm... [mailto:leo...@gm...] On Behalf Of Leon Ward
Sent: Tuesday, September 08, 2015 9:44 AM
To: Igor Kaplan
Cc: <ope...@li...>
Subject: Re: BPF filter
Will take a look, can't from where I am right now.
Its likely that I've broken something years back, It used to work as I once used it a lot myself, but no longer.
On Tue, Sep 8, 2015 at 2:42 PM, Igor Kaplan <igo...@gm...> wrote:
Hi Leon,
I am still having problems with the input bpf filter. I wonder, if you
could please answer my question below.
Not sure, if I am doing everything correctly, however as my best
understanding, I do.
Many thanks.
-Igor.
-----Original Message-----
From: Igor Kaplan [mailto:igo...@gm...]
Sent: Friday, August 28, 2015 4:32 PM
To: 'Leon Ward'
Cc: ope...@li...
Subject: BPF filter
Hi Leon,
Not sure, if I am doing everything correctly, however my BPF filter in
openfpc-default.conf does not look to be working.
I have a line in my openfpc-default.conf:
BPF_File=/var/filter.bpf
While starting openfpc -a start --verbose I am able to see, the proper bpf
file is found and loaded.
My filter.bpf is very simple:
Port 502
So it should capture packets from port 502 only
However after fetching the data I still see packets from other ports.
I wonder, do I understand correctly, the BPF_FILE in the config file will
restrict, which packets are captured? So using the bpf file as above I
should not see any packets from other ports beside 502? Or it is something
different?
Many thanks and have a nice weekend!
-Igor
-----Original Message-----
From: Leon Ward [mailto:leo...@gm...] On Behalf Of Leon Ward
Sent: Tuesday, August 25, 2015 4:59 PM
To: Igor Kaplan
Cc: <ope...@li...>
Subject: Re: [Openfpc-users] Openfpc-users Digest, Vol 2, Issue 4
That's where the pcaps should live, and they will grow to the max percentage
that you allow in the node config.
What does an openfpc-client -a status show?
Also what's a df -h look like?
The pcaps will auto-prune unless something has gone wrong along the way....
Thinking out loud, what's an ls of your pcaps directory look like? Have you
got multiple nodes running on one box?
-L
Sent from a mobile device. Apologies for any typos but they happen.
> On 25 Aug 2015, at 16:25, Igor Kaplan <igo...@gm...> wrote:
>
> Hi Leon,
>
> Could you please help me with following.
> I am running openfpc for several days already and now I am out of
> space on my Ubuntu box which runs openfpc Under /var/tmp/openfpc I see
> directories, some of which contain number of large files:
> api-pcaps extracted pcap session
>
> I wonder, can I safely delete data under any of those directories above?
> Could you please let me know, which directory I can empty without
> breaking openfpc functionality?
>
> Is there any way to clean all captured data and start fresh?
>
> Many thanks.
>
> -Igor.
>
>
> -----Original Message-----
> From: ope...@li...
> [mailto:ope...@li...]
> Sent: Thursday, August 20, 2015 8:01 PM
> To: ope...@li...
> Subject: Openfpc-users Digest, Vol 2, Issue 4
>
> Send Openfpc-users mailing list submissions to
> ope...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/openfpc-users
> or, via email, send a message with subject or body 'help' to
> ope...@li...
>
> You can reach the person managing the list at
> ope...@li...
>
> When replying, please edit your Subject line so it is more specific
> than
> "Re: Contents of Openfpc-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Openfpc usage (Igor Kaplan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Aug 2015 20:01:08 -0400
> From: "Igor Kaplan" <igo...@gm...>
> Subject: Re: [Openfpc-users] Openfpc usage
> To: <ope...@li...>
> Message-ID: <000c01d0dba4$7c3c9910$74b5cb30$@gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Also sending my reply to the list, sorry, forgot to include it.
>
>
>
>
>
> From: Igor Kaplan [mailto:igo...@gm...]
> Sent: Thursday, August 20, 2015 6:44 PM
> To: 'Leon Ward'
> Subject: RE: [Openfpc-users] Openfpc usage
>
>
>
> Version of mergecap:
>
> Mergecap 1.10.6 (v1.10.6 from master-1.10)
>
>
>
> Linux is Ubuntu 14.04.2 LTS
>
>
>
> File list.pcap
>
> list.pcap: pcap-ng capture file - version 1.0
>
>
>
> Thanks.
>
>
>
> From: leo...@gm... [mailto:leo...@gm...] On Behalf
> Of Leon Ward
> Sent: Thursday, August 20, 2015 6:23 PM
> To: Igor Kaplan
> Cc: ope...@li...
> Subject: Re: [Openfpc-users] Openfpc usage
>
>
>
> What's your platform, version of mergecap etc.
>
> Also, if you '$ file list.pcap' what does it say?
>
>
>
> -L
>
>
>
>
>
> On Thu, Aug 20, 2015 at 10:15 PM, Igor Kaplan <igo...@gm...>
wrote:
>
> Hi Leon,
>
>
>
> Need your help please once again.
>
> Got the following problem and spent several hours trying to solve it.
>
>
>
> When making the API call to fetch the pcap data I am getting the data
> in pcapng format.
>
> The OpenFPC is using the mergecap to merge pcap files and by default
> mergecap creates the output in pcapng format instead of pcap.
>
>
>
> I have changed the following line in openfpc-default.conf file
>
> MERGECAP=/usr/bin/mergecap -F pcap
>
>
>
> This helped when I use the openfpc-client command to create pcap
> files, however when I use curl to fetch the data I still receive the
> output in pcapng format.
>
>
>
> curl -k
> 192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F-C061B4C
> E8A48\
> <http://192.168.145.20:4222/api/1/fetch?apikey=38A69684-41F6-11E5-B47F
> -C061B
> 4CE8A48%5C&stime=20150818%2010:00%5C&etime=20150818%2010:30%5C&dpt=22>
> &stime=20150818%2010:00\&etime=20150818%2010:30\&dpt=22 > list.pcap
>
>
>
> cat list.pcap|tshark -i-
>
> Capturing on 'Standard input'
>
> tshark: Unrecognized libpcap format
>
>
>
> Looks like in case of API call the mergecap utility is not used at all.
> And I was not able to find in the code how merging is done in this case.
>
>
>
> Could you please help me. Is it possible to make the fetch API call
> to return the data in pcap format?
>
>
>
> Thanks so much!
>
>
>
> Igor
>
>
>
>
>
> From: leo...@gm... [mailto:leo...@gm...] On Behalf
> Of Leon Ward
> Sent: Tuesday, August 18, 2015 1:29 PM
>
>
> To: Igor Kaplan
> Cc: ope...@li...
> Subject: Re: [Openfpc-users] Openfpc usage
>
>
>
> Actually it wont. It will only remove the oldest PCAP file. It's best
> to keep those PCAP files on their own partition.
>
> The old flow records in mysql actually get removed automatically based
> on the oldest packet in the store. So you won't have records that are
> older than the pcaps.
>
>
>
> -L
>
>
>
>
>
> On Tue, Aug 18, 2015 at 6:21 PM, Igor Kaplan <igo...@gm...>
wrote:
>
> Hi Leon, all,
>
>
>
> I have one more question please.
>
>
>
> Based on the documentation the following line in the openfpc config
> file restricts the space usage of captured data to 50 percent:
>
> PCAP_SPACE=50
>
>
>
> So, if the data size exceeds 50 percent old files will be deleted
> automatically?
>
> Will openfpc also delete the old MySQL session tables?
>
>
>
> Many thanks and all the best!
>
>
>
> -Igor.
>
>
>
>
>
> From: leo...@gm... [mailto:leo...@gm...] On Behalf
> Of Leon Ward
> Sent: Monday, August 17, 2015 11:51 AM
> To: Igor Kaplan
> Cc: ope...@li...
> Subject: Re: [Openfpc-users] Openfpc usage
>
>
>
> Hi,
>
>
>
> Documentation is really one of the places that really needs some extra
> focus.
>
>
>
> The best docs I can point you to are in that folder, plus there is
> some out-of date info on my blog http://www.leonward.com.
>
> I actually delivered a presentation at Defcon last weekend all about
> OpenFPC. I have forwarded the slides separately. Hopefully that will
> help as well.
>
>
>
> As for your specific question about OpenFPC GUI. That's actually now
> been deprecated as it's no longer relevant for how it functions in a
> distributed manner. The OpenFPC-Chrome Extension will be the next best
> thing for interacting with the QueueDaemon remotely in a GUI-like way.
>
>
>
> Cheers,
>
>
>
> -L
>
>
>
>
>
>
>
> On Mon, Aug 17, 2015 at 4:25 PM, Igor Kaplan <igo...@gm...>
wrote:
>
> Hi All,
>
>
>
> My name is Igor. I just found the OpenFPC and evaluating it. Looks
> like it is very good tool.
>
> I successfully installed on Ubuntu 14.4 with Perl 5.18
>
> I have installed the OpenFPC-master, so it is the latest code.
>
>
>
> Now I would like to find out if there is more documentation beside
> files which I could find under docs directory.
>
> For example the INSTALL.md refers to the USAGE document, however I
> was not able to find it anywhere
>
>
>
> I am looking for the usage other then basic, just to find out, what
> are my advanced options.
>
>
>
> For example the openfpc-dbmaint.sh script is also able to create the
> gui database, I wonder, what it is for?
>
>
>
> The OpenFPC looks to be very powerful, just would like to understand
> it as best as I can.
>
>
>
> Would so much appreciate any reply?s.
>
>
>
> Many thanks.
>
>
>
> Igor.
>
>
>
>
> ----------------------------------------------------------------------
> ------
> --
>
> _______________________________________________
> Openfpc-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openfpc-users
>
>
>
>
> ----------------------------------------------------------------------
> ------
> --
>
> _______________________________________________
> Openfpc-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openfpc-users
>
>
>
>
>
> -------------- next part -------------- An HTML attachment was
> scrubbed...
>
> ------------------------------
>
> ----------------------------------------------------------------------
> ------
> --
>
>
> ------------------------------
>
> _______________________________________________
> Openfpc-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openfpc-users
>
>
> End of Openfpc-users Digest, Vol 2, Issue 4
> *******************************************
>
>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> Openfpc-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openfpc-users
|
