search

ntop / n2disk

Open source components and extensions for n2disk
498 stars 11 forks source link

tcpdump invalid headers on n2disk exported pcaps #52

Closed srfn8kd closed 1 year ago

srfn8kd commented 1 year ago

Greetings NTOP Team,

When I try to read a pcap output by n2disk or npcapextract with most recent versions of tcpdump, including PF_RING aware tcpdump compiled from ntop git source, this is found in the output. On some npcapextract created pcaps that is the only output, while on n2disk created pcaps there is a lot of that mixed in with some regular output

npcapextract

[Invalid header: len(1518) < caplen(1520)] [Invalid header: len(1146) < caplen(1148)] [Invalid header: len(70) < caplen(72)] [Invalid header: len(114) < caplen(116)]

n2disk

[Invalid header: len(1518) < caplen(1520)] [Invalid header: len(1518) < caplen(1520)] [Invalid header: len(1518) < caplen(1520)] [Invalid header: len(1438) < caplen(1440)] [Invalid header: len(1438) < caplen(1440)] 13:23:02.725028 IP redacted.https > redacted.22387: Flags [.], seq 418843876:418845250, ack 1730726667, win 133, options [nop,nop,TS val 1255459542 ecr 2954666398], length 1374 13:23:02.725029 IP redacted.39956 > redacted.62617: Flags [.], seq 1257635742:1257636980, ack 1416948073, win 512, options [nop,nop,TS val 1657684384 ecr 1723919482], length 1238 [Invalid header: len(1438) < caplen(1440)]

tcpdump info

tcpdump version 4.99.1 libpcap version 1.10.1 (with TPACKET_V3) OpenSSL 1.1.1k FIPS 25 Mar 2021

tcpdump version 4.99.1 libpcap version 1.10.1 (with TPACKET_V3) OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.25.1 SMI-library: 0.4.8 (edited)

OS info

This experience is the same on CentOS Stream 8 and well as on openSUSE Leap 15.4

cardigliano commented 1 year ago

@srfn8kd please provide your n2disk configuration file, and if possible a small pcap with this traffic. Thank you.

srfn8kd commented 1 year ago

--syslog --daemon -i=fbcard:0:b00 -P=/var/run/n2disk.pid -o=/data3/pcap -o=/data2/pcap

-o=/data4/pcap

-o=/data5/pcap

-A=/data2/timeline --disk-limit=97% -b=16384 -p=2048 -C=16384 -q=1 -c=34 -w=36,38,44,46 --index -3 -Z -z=48,50,52,54

sample.pcap.gz

cardigliano commented 1 year ago
  1. Do you see a message like this in the n2disk output? "Chunk mode is supported by the underlying hardware :-)"
  2. Did this happen after some update? Did you also update the Fiberblaze SDK or firmware?
srfn8kd commented 1 year ago

Yes the chunk mode message is output

Mar 14 08:49:27 thraulus n2disk[1936315]: 14/Mar/2023 08:49:27 [n2disk.c:7207] Dumping data in 16.0 MB chunks Mar 14 08:49:27 thraulus n2disk[1936315]: 14/Mar/2023 08:49:27 [n2disk.c:7207] Dumping data in 16.0 MB chunks Mar 14 08:49:39 thraulus n2disk[1936315]: 14/Mar/2023 08:49:39 [n2disk.c:4626] Chunk mode is supported by the underlying hardware :-) Mar 14 08:49:39 thraulus n2disk[1936315]: 14/Mar/2023 08:49:39 [n2disk.c:4626] Chunk mode is supported by the underlying hardware :-)

The FB card is running a very recent if not the the latest firmware and software - haven't look for updates since I installed these versions in February - maybe a newer version exists

Savona 2.11.6.0 fbcapture 3.6.6.1

cardigliano commented 1 year ago

@srfn8kd I am in contact with Silicom and it seems the adapter is adding some padding to align the packet data to 4 bytes. Since the data provided in PCAP chunks (in "chunk mode") cannot be modified by the software (we use chunks built by the adapter to optimize the performance) we cannot do much. Otherwise the "packet mode" should be used, with lower performance. What is your traffic rate?

srfn8kd commented 1 year ago

Thank you for looking into this, we’re doing 5 - 25 Gbps - this is not a problem then, I’ll just use npcapextract on the system which works fine, as does Wireshark on both systems and my workstation, this is just an oddity with tcpdump it seems.  Keep up the great work, NTOP tools are excellent.On Mar 16, 2023, at 02:33, Alfredo Cardigliano @.***> wrote: @srfn8kd I am in contact with Silicom and it seems the adapter is adding some padding to align the packet data to 4 bytes. Since the data provided in PCAP chunks (in "chunk mode") cannot be modified by the software (we use chunks built by the adapter to optimize the performance) we cannot do much. Otherwise the "packet mode" should be used, with lower performance. What is your traffic rate?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

cardigliano commented 1 year ago

Thank you!