Problematic behavior with npcapmove and npcapmanage #28
Assignees
Labels
Comments
|
@Arislen I pushed a fix for npcapmanage in case of relative paths. The directory is still being deleted if empty (if it's not a problem to create it again when requried, I would not change the behavior for backward compatibility). A new package will be available later today. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OS: Redhat 8.2 Kernel: 4.18.0-193.1.2.el8_2.x86_64
N2DISK from http://packages.ntop.org/centos/
Version: n2disk-3.5.200528-5204.x86_64
Identifying a N2DISK PCAP (successful)
npcapextract -t /var/log/he/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -l
/var/log/he/1591118416.721609/1591118759.507696.pcap
I then want to move this pcap to another directory (starts to be problematic) :
npcapmove /var/log/he/1591118416.721609/1591118759.507696.pcap /var/log/he/pp/ /var/log/he/pp/timeline/
Files moved to:
/var/log/he/pp//1591118759.507696.pcap /var/log/he/pp//1591118759.507696.pcap.idx.timeline
/var/log/he/pp//1591118759.507696.pcap.idx /var/log/he/pp//1591118759.507696.pcap.timeline
/var/log/he/pp/timeline//2020/06/02/13/20/1591118759.507696.pcap /var/log/he/pp/timeline//2020/06/02/13/20/1591118759.507696.pcap.idx
Links are all relative paths, n2disk saves links to timelines with absolute paths:
-rw-r-----. 1 n2disk n2disk 4294967928 Jun 2 13:26 1591118759.507696.pcap
-rw-r-----. 1 n2disk n2disk 54292009 Jun 2 13:26 1591118759.507696.pcap.idx
drwxr-xr-x. 3 n2disk n2disk 26 Jun 3 12:24 timeline
lrwxrwxrwx. 1 n2disk n2disk 48 Jun 3 12:24 1591118759.507696.pcap.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap
lrwxrwxrwx. 1 n2disk n2disk 52 Jun 3 12:24 1591118759.507696.pcap.idx.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap.idx
./timeline/2020/06/02/13/20:
lrwxrwxrwx. 1 n2disk n2disk 40 Jun 3 12:24 1591118759.507696.pcap -> ../../../../../../1591118759.507696.pcap
lrwxrwxrwx. 1 n2disk n2disk 44 Jun 3 12:24 1591118759.507696.pcap.idx -> ../../../../../../1591118759.507696.pcap.idx
Run test to make sure npcapextract can see the pcap (successful):
npcapextract -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -l
../../../../../../1591118759.507696.pcap
Next run npcapmange to delete the pcap, indexes and timeline files (fails):
npcapmanage -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -d -v 4
03/Jun/2020 12:37:07 [npcapmanage.c:395] Welcome to npcapmanage - (C) 2016 ntop.org
03/Jun/2020 12:37:07 [npcapmanage.c:397] Begin time: 2020-06-02 13:25:43, End time 2020-06-02 13:25:59
03/Jun/2020 12:37:07 [npcapmanage.c:188] Scanning /var/log/he/pp/timeline/2020/06/02/13/20
03/Jun/2020 12:37:07 [npcapmanage.c:222] Checking epoch for /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap: 1591118743 < 1591118759 <= 1591118759
03/Jun/2020 12:37:07 [npcapmanage.c:412] 0 PCAP files deleted
03/Jun/2020 12:37:07 [npcapmanage.c:413] Total processing time: 0.000 sec.
Fails to detect the PCAP even though npcapextract sees the pcap with the exact same filter.
Rerun with slightly larger window:
npcapmanage -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:26:00" -d -v 4
03/Jun/2020 12:43:31 [npcapmanage.c:395] Welcome to npcapmanage - (C) 2016 ntop.org
03/Jun/2020 12:43:31 [npcapmanage.c:397] Begin time: 2020-06-02 13:25:43, End time 2020-06-02 13:26:00
03/Jun/2020 12:43:31 [npcapmanage.c:188] Scanning /var/log/he/pp/timeline/2020/06/02/13/20
03/Jun/2020 12:43:31 [npcapmanage.c:222] Checking epoch for /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap: 1591118743 < 1591118759 <= 1591118760
03/Jun/2020 12:43:31 [npcapmanage.c:236] rm ../../../../../../1591118759.507696.pcap
03/Jun/2020 12:43:31 [npcapmanage.c:241] rm ../../../../../../1591118759.507696.pcap.timeline
03/Jun/2020 12:43:31 [npcapmanage.c:245] rm /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap
03/Jun/2020 12:43:31 [npcapmanage.c:258] rm ../../../../../../1591118759.507696.pcap.idx
03/Jun/2020 12:43:31 [npcapmanage.c:263] rm ../../../../../../1591118759.507696.pcap.idx.timeline
03/Jun/2020 12:43:31 [npcapmanage.c:267] rm /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap.idx
03/Jun/2020 12:43:31 [npcapmanage.c:412] 1 PCAP files deleted
03/Jun/2020 12:43:31 [npcapmanage.c:413] Total processing time: 0.001 sec.
However, it does not delete all the files, just the timeline ones:
-rw-r-----. 1 n2disk n2disk 4294967928 Jun 2 13:26 1591118759.507696.pcap
-rw-r-----. 1 n2disk n2disk 54292009 Jun 2 13:26 1591118759.507696.pcap.idx
lrwxrwxrwx. 1 n2disk n2disk 48 Jun 3 12:24 1591118759.507696.pcap.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap
lrwxrwxrwx. 1 n2disk n2disk 52 Jun 3 12:24 1591118759.507696.pcap.idx.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap.idx
(links are bad since timeline directory doesn't exist. Not sure why it deletes the timeline directory as I would want to move other pcaps into it without recreating it)
The .pcap, .idx and the links should have been deleted.
The text was updated successfully, but these errors were encountered: