Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPF filter problem #343

Closed
ghost opened this issue Jan 7, 2016 · 7 comments
Closed

BPF filter problem #343

ghost opened this issue Jan 7, 2016 · 7 comments
Labels
To Be Confirmed

Comments

@ghost
Copy link

ghost commented Jan 7, 2016

Hi,

I am unable to use -B for a filter command I get
Jan 7 13:44:43 wolfpac ntopng: [PF_RINGInterface.cpp:156] ERROR: Unable to set filter hos. Filter ignored.

Below is my command line and the versions - which I just updated today.

/usr/local/bin/ntopng -e -U ntop -ip4p1 -d/var/lib/ntop -w 3000 -D all -H -n 1 -m 166.0.0.0/8 -B "host 166.239.229.215 or host 166.149.233.17"

pfring.x86_64 0:6.3.0-418 pfring-dkms.noarch 0:6.3.0-418
ntopng.x86_64 0:2.3.160107-770 ntopng-data.noarch 0:2.3.160107-770

I also did sudo ethtool -K p4p1 gro off gso off tso off and restarted with the results below.

lspci output
Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

Jan 7 13:41:13 wolfpac kernel: (C) 2004-15 ntop.org
Jan 7 13:41:13 wolfpac kernel: [PF_RING] registered /proc/net/pf_ring/
Jan 7 13:41:13 wolfpac kernel: NET: Registered protocol family 27
Jan 7 13:41:13 wolfpac kernel: [PF_RING] Min # ring slots 4096
Jan 7 13:41:13 wolfpac kernel: [PF_RING] Slot version 16
Jan 7 13:41:13 wolfpac kernel: [PF_RING] Capture TX Yes [RX+TX]
Jan 7 13:41:13 wolfpac kernel: [PF_RING] IP Defragment No
Jan 7 13:41:13 wolfpac kernel: [PF_RING] Initialized correctly
Jan 7 13:41:16 wolfpac named[2310]: client 127.0.0.1#57580: RFC 1918 response from Internet for 42.2.21.172.in-addr.arpa
Jan 7 13:41:19 wolfpac named[2310]: client 127.0.0.1#44398: RFC 1918 response from Internet for 14.2.21.172.in-addr.arpa
Jan 7 13:41:36 wolfpac ntopng: [Prefs.cpp:780] WARNING: Unknown option -E: Ignored.
Jan 7 13:41:36 wolfpac ntopng: [Prefs.cpp:780] WARNING: Unknown option -A: Ignored.
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:158] ERROR: [LICENSE] Invalid or missing ntopng License [Empty license file]
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:171] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:173] WARNING: [LICENSE] before returning to community mode
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:174] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.or
g
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:175] WARNING: [LICENSE] or run ntopng in community mode starting
Jan 7 13:41:37 wolfpac ntopng: [NtopPro.cpp:176] WARNING: [LICENSE] ntopng --community
Jan 7 13:41:37 wolfpac ntopng: [PF_RINGInterface.cpp:156] ERROR: Unable to set filter hos. Filter ignored.
Jan 7 13:41:38 wolfpac ntopng: [NetworkInterface.cpp:942] WARNING: If you have TSO/GRO enabled, please disable it
Jan 7 13:41:38 wolfpac ntopng: [NetworkInterface.cpp:944] WARNING: Use: sudo ethtool -K p4p1 gro off gso off tso off
Jan 7 13:41:39 wolfpac named[2310]: client 127.0.0.1#41166: RFC 1918 response from Internet for 40.2.21.172.in-addr.arpa
Jan 7 13:42:10 wolfpac named[2310]: client 127.0.0.1#52417: RFC 1918 response from Internet for 69.2.21.172.in-addr.arpa
Jan 7 13:42:21 wolfpac named[2310]: client 127.0.0.1#36488: RFC 1918 response from Internet for 102.2.21.172.in-addr.arpa
Jan 7 13:42:21 wolfpac named[2310]: client 127.0.0.1#52909: RFC 1918 response from Internet for 104.2.21.172.in-addr.arpa
Jan 7 13:42:21 wolfpac named[2310]: client 127.0.0.1#42627: RFC 1918 response from Internet for 161.2.21.172.in-addr.arpa
Jan 7 13:42:30 wolfpac named[2310]: client 127.0.0.1#53702: RFC 1918 response from Internet for 96.2.21.172.in-addr.arpa
Jan 7 13:42:32 wolfpac named[2310]: client 127.0.0.1#32917: RFC 1918 response from Internet for 3.2.21.172.in-addr.arpa
Jan 7 13:44:26 wolfpac kernel: igb 0000:03:00.0: TSO is Disabled
Jan 7 13:44:43 wolfpac ntopng: [Prefs.cpp:780] WARNING: Unknown option -E: Ignored.
Jan 7 13:44:43 wolfpac ntopng: [Prefs.cpp:780] WARNING: Unknown option -A: Ignored.
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:158] ERROR: [LICENSE] Invalid or missing ntopng License [Empty license file]
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:171] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:173] WARNING: [LICENSE] before returning to community mode
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:174] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.org
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:175] WARNING: [LICENSE] or run ntopng in community mode starting
Jan 7 13:44:43 wolfpac ntopng: [NtopPro.cpp:176] WARNING: [LICENSE] ntopng --community
Jan 7 13:44:43 wolfpac ntopng: [PF_RINGInterface.cpp:156] ERROR: Unable to set filter hos. Filter ignored.
...
@ghost
Copy link
Author

ghost commented Jan 8, 2016

I see another problem which may be related - when the above ntopng/pfring is running if I try to use tcpdump with a filter - it doesn't work. I get all the traffic.

@pspikings
Copy link

I had this exact problem in Ubuntu (using the /etc/default/ntopng for config and listing the -B command in ADD_ARGS). It seems to be something to do with escaping quotes and/or spaces. After quite a bit of experimentation I gave up and put the -B command in /etc/init.d/ntopng instead in the start routine after $ARGS

@simonemainardi
Copy link
Contributor

@pspikings please report the exact steps (include shell lines) that you did and that caused wrong BPF parsing

@pspikings
Copy link

I haven't got the shell history but can tell you what I did. Installed version "v.1.2.1 (r1.2.1)" in 12.04 from the http://ppa.launchpad.net/cavedon/ntop/ubuntu PPA.

Here's what does work:

From /etc/default/ntopng:

Additional command-line arguments for ntopng.

ADD_ARGS="-m 1.2.3.4/27,192.168.0.254/24"

From /etc/init.d/ntopng:

ntop_start() {
/sbin/start-stop-daemon --start --quiet --name $NAME --pidfile $PIDFILE
--exec $DAEMON -- $ARGS -B "host not 2.3.4.5 and host not 3.4.5.6"
> /var/log/ntopng/startup.log 2>&1

Here is what I tried first which gives the exact error as above:

From /etc/default/ntopng:

Additional command-line arguments for ntopng.

ADD_ARGS="-m 1.2.3.4/27,192.168.0.254/24 -B "host not 2.3.4.5 and host not 3.4.5.6""

From /etc/init.d/ntopng (installed version):

ntop_start() {
/sbin/start-stop-daemon --start --quiet --name $NAME --pidfile $PIDFILE
--exec $DAEMON -- $ARGS
> /var/log/ntopng/startup.log 2>&1

I tried lots of variations on the theme but nothing worked until I edited the ntopng init script instead.

Thanks,

Peter.

@simonemainardi
Copy link
Contributor

@pspikings you are using an outdated version of ntopng. In addition, the PPA you are using is not the official one. Please remove it and install packages from http://packages.ntop.org/

One you get the official packages, use file /etc/ntopng/ntopng.conf to put the configuration options, one per line.

Then you can start-stop-daemon as usual.

@emanuele-f
Copy link
Contributor

@sclark46 are you still having troubles? Can you report the software versions you are using?

I've successfully tested the filter on ubuntu 16.04, with latest ntopng and pfring from ntop repo

@lucaderi
Copy link
Member

This issue seems to be solved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
To Be Confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simonemainardi @lucaderi @pspikings @emanuele-f