search

ntop / n2disk

Open source components and extensions for n2disk
503 stars 11 forks source link

Problematic behavior with npcapmove and npcapmanage #28

Closed Arislen closed 4 years ago

Arislen commented 4 years ago

OS: Redhat 8.2 Kernel: 4.18.0-193.1.2.el8_2.x86_64 N2DISK from http://packages.ntop.org/centos/ Version: n2disk-3.5.200528-5204.x86_64

Identifying a N2DISK PCAP (successful)

npcapextract -t /var/log/he/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -l

/var/log/he/1591118416.721609/1591118759.507696.pcap

I then want to move this pcap to another directory (starts to be problematic) :

npcapmove /var/log/he/1591118416.721609/1591118759.507696.pcap /var/log/he/pp/ /var/log/he/pp/timeline/ Files moved to: /var/log/he/pp//1591118759.507696.pcap /var/log/he/pp//1591118759.507696.pcap.idx.timeline /var/log/he/pp//1591118759.507696.pcap.idx /var/log/he/pp//1591118759.507696.pcap.timeline /var/log/he/pp/timeline//2020/06/02/13/20/1591118759.507696.pcap /var/log/he/pp/timeline//2020/06/02/13/20/1591118759.507696.pcap.idx

Links are all relative paths, n2disk saves links to timelines with absolute paths:

-rw-r-----. 1 n2disk n2disk 4294967928 Jun 2 13:26 1591118759.507696.pcap -rw-r-----. 1 n2disk n2disk 54292009 Jun 2 13:26 1591118759.507696.pcap.idx drwxr-xr-x. 3 n2disk n2disk 26 Jun 3 12:24 timeline lrwxrwxrwx. 1 n2disk n2disk 48 Jun 3 12:24 1591118759.507696.pcap.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap lrwxrwxrwx. 1 n2disk n2disk 52 Jun 3 12:24 1591118759.507696.pcap.idx.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap.idx

./timeline/2020/06/02/13/20: lrwxrwxrwx. 1 n2disk n2disk 40 Jun 3 12:24 1591118759.507696.pcap -> ../../../../../../1591118759.507696.pcap lrwxrwxrwx. 1 n2disk n2disk 44 Jun 3 12:24 1591118759.507696.pcap.idx -> ../../../../../../1591118759.507696.pcap.idx

Run test to make sure npcapextract can see the pcap (successful):

npcapextract -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -l ../../../../../../1591118759.507696.pcap

Next run npcapmange to delete the pcap, indexes and timeline files (fails):

npcapmanage -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:25:59" -d -v 4 03/Jun/2020 12:37:07 [npcapmanage.c:395] Welcome to npcapmanage - (C) 2016 ntop.org 03/Jun/2020 12:37:07 [npcapmanage.c:397] Begin time: 2020-06-02 13:25:43, End time 2020-06-02 13:25:59 03/Jun/2020 12:37:07 [npcapmanage.c:188] Scanning /var/log/he/pp/timeline/2020/06/02/13/20 03/Jun/2020 12:37:07 [npcapmanage.c:222] Checking epoch for /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap: 1591118743 < 1591118759 <= 1591118759 03/Jun/2020 12:37:07 [npcapmanage.c:412] 0 PCAP files deleted 03/Jun/2020 12:37:07 [npcapmanage.c:413] Total processing time: 0.000 sec.

Fails to detect the PCAP even though npcapextract sees the pcap with the exact same filter.

Rerun with slightly larger window:

npcapmanage -t /var/log/he/pp/timeline -b "2020-06-02 13:25:43" -e "2020-06-02 13:26:00" -d -v 4

03/Jun/2020 12:43:31 [npcapmanage.c:395] Welcome to npcapmanage - (C) 2016 ntop.org 03/Jun/2020 12:43:31 [npcapmanage.c:397] Begin time: 2020-06-02 13:25:43, End time 2020-06-02 13:26:00 03/Jun/2020 12:43:31 [npcapmanage.c:188] Scanning /var/log/he/pp/timeline/2020/06/02/13/20 03/Jun/2020 12:43:31 [npcapmanage.c:222] Checking epoch for /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap: 1591118743 < 1591118759 <= 1591118760 03/Jun/2020 12:43:31 [npcapmanage.c:236] rm ../../../../../../1591118759.507696.pcap 03/Jun/2020 12:43:31 [npcapmanage.c:241] rm ../../../../../../1591118759.507696.pcap.timeline 03/Jun/2020 12:43:31 [npcapmanage.c:245] rm /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap 03/Jun/2020 12:43:31 [npcapmanage.c:258] rm ../../../../../../1591118759.507696.pcap.idx 03/Jun/2020 12:43:31 [npcapmanage.c:263] rm ../../../../../../1591118759.507696.pcap.idx.timeline 03/Jun/2020 12:43:31 [npcapmanage.c:267] rm /var/log/he/pp/timeline/2020/06/02/13/20/1591118759.507696.pcap.idx 03/Jun/2020 12:43:31 [npcapmanage.c:412] 1 PCAP files deleted 03/Jun/2020 12:43:31 [npcapmanage.c:413] Total processing time: 0.001 sec.

However, it does not delete all the files, just the timeline ones:

-rw-r-----. 1 n2disk n2disk 4294967928 Jun 2 13:26 1591118759.507696.pcap -rw-r-----. 1 n2disk n2disk 54292009 Jun 2 13:26 1591118759.507696.pcap.idx lrwxrwxrwx. 1 n2disk n2disk 48 Jun 3 12:24 1591118759.507696.pcap.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap lrwxrwxrwx. 1 n2disk n2disk 52 Jun 3 12:24 1591118759.507696.pcap.idx.timeline -> timeline/2020/06/02/13/20/1591118759.507696.pcap.idx

(links are bad since timeline directory doesn't exist. Not sure why it deletes the timeline directory as I would want to move other pcaps into it without recreating it)

The .pcap, .idx and the links should have been deleted.

cardigliano commented 4 years ago

@Arislen I pushed a fix for npcapmanage in case of relative paths. The directory is still being deleted if empty (if it's not a problem to create it again when requried, I would not change the behavior for backward compatibility). A new package will be available later today.