--tunnel option partially applied

Hello,

I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an issue with nprobe and L2TP tunnelled traffic. Here is the command I launch :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P
[capture_nprobe.zip](https://github.com/ntop/nProbe/files/65629/capture_nprobe.zip)

 /tmp/flows -D t -I sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 --tunnel

I'd expect to get records like

122|1|53|17|IP_IN_TUNNEL|13217|IP_IN_TUNNEL|::|0|000054B5|0000B5AB|
117|2|443|6|IP_IN_TUNNEL|53820|IP_IN_TUNNEL|::|0|00006304|0000BB56|

I get some of them, but most of my records are not correctly decapsulated and I usually get records like that :

52|1|30753|17|L2TP_IP|49752|L2TP_IP|::|0|00000000|00000000|
52|1|4560|17|L2TP_IP|34232|L2TP_IP|::|0|00000000|00000000|

As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. However, I neither get the tunneled IP address or the tunnel informations (I obfuscated IP informations, replacing them with IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.

I am pretty sure the problem comes from the decapsulation and it's not a false positive as if it was, src port and dest port would be 1701.

When I try to use it in debug mode I get a segfault (which I don't get without the --tunnel option). :

[root@netflow-linux ~]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -I sfr -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID %UNTUNNELED_IPV4_SRC_ADDR" -V 9 --smart-udp-frags -N 0 --debug --tunnel
17/Dec/2015 16:19:38 [nprobe.c:3114] ERROR: Invalid nProbe license (/etc/nprobe.license) [Missing license file]
17/Dec/2015 16:19:38 [nprobe.c:3121] ERROR: *****************************************************
17/Dec/2015 16:19:38 [nprobe.c:3122] ERROR: **                                                 **
17/Dec/2015 16:19:38 [nprobe.c:3123] ERROR: **  Switching to DEMO MODE (missing valid license) **
17/Dec/2015 16:19:38 [nprobe.c:3124] ERROR: **                                                 **
17/Dec/2015 16:19:38 [nprobe.c:3125] ERROR: **  Create your nProbe license at                  **
17/Dec/2015 16:19:38 [nprobe.c:3126] ERROR: **       http://www.nmon.net/mklicense/            **
17/Dec/2015 16:19:38 [nprobe.c:3127] ERROR: **                                                 **
17/Dec/2015 16:19:38 [nprobe.c:3128] ERROR: *****************************************************
17/Dec/2015 16:19:38 [nprobe.c:6508] ERROR: ***************************************************************
17/Dec/2015 16:19:38 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export.  *
17/Dec/2015 16:19:38 [nprobe.c:6510] ERROR: ***************************************************************
17/Dec/2015 16:19:38 [plugin.c:166] No plugins found in ./plugins
17/Dec/2015 16:19:38 [plugin.c:174] Loading 22 plugins [.so] from /usr/local/lib/nprobe/plugins
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084445
sysUpTime 2429093100
samplesInPacket 4
startSample ----------------------
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 187645
sourceId 0:1
counterBlock_tag 2176:0
skipping unknown counters_sample_element: 2176:0 len=0
counterBlock_tag 568615:598
skipping unknown counters_sample_element: 568615:598 len=0
endSample   ----------------------
unexpected end of datagram after sample 1 of 4
datagramSourceIP 0.0.0.0
datagramSize 48
unixSecondsUTC 1450365578
datagramVersion 5
agentSubId 0
agent 192.168.1.1
packetSequenceNo 1084446
sysUpTime 2429093100
samplesInPacket 10
startSample ----------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 11443
sourceId 0:2
meanSkipCount 50
samplePool 8912896
dropEvents 0
inputPort multiple 181563990
outputPort 0
flowBlock_tag 0:0
skipping unknown flow_sample_element: 0:0 len=-2147483648
Segmentation fault

The output without --debug :

[root@netflow-linux nprobe]# nprobe -i eth1 -d 60 -P /tmp/flows -D t -T "%IN_BYTES %IN_PKTS %L4_SRC_PORT %PROTOCOL %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_MASK %UPSTREAM_TUNNEL_ID %DOWNSTREAM_TUNNEL_ID" -V 9 --smart-udp-frags -N 0 --tunnel
17/Dec/2015 18:36:29 [nprobe.c:3114] ERROR: Invalid nProbe license (/etc/nprobe.license) [Missing license file]
17/Dec/2015 18:36:29 [nprobe.c:3121] ERROR: *****************************************************
17/Dec/2015 18:36:29 [nprobe.c:3122] ERROR: **                                                 **
17/Dec/2015 18:36:29 [nprobe.c:3123] ERROR: **  Switching to DEMO MODE (missing valid license) **
17/Dec/2015 18:36:29 [nprobe.c:3124] ERROR: **                                                 **
17/Dec/2015 18:36:29 [nprobe.c:3125] ERROR: **  Create your nProbe license at                  **
17/Dec/2015 18:36:29 [nprobe.c:3126] ERROR: **       http://www.nmon.net/mklicense/            **
17/Dec/2015 18:36:29 [nprobe.c:3127] ERROR: **                                                 **
17/Dec/2015 18:36:29 [nprobe.c:3128] ERROR: *****************************************************
17/Dec/2015 18:36:29 [nprobe.c:6508] ERROR: ***************************************************************
17/Dec/2015 18:36:29 [nprobe.c:6509] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export.  *
17/Dec/2015 18:36:29 [nprobe.c:6510] ERROR: ***************************************************************
17/Dec/2015 18:36:29 [plugin.c:166] No plugins found in ./plugins
17/Dec/2015 18:36:29 [plugin.c:174] Loading 22 plugins [.so] from /usr/local/lib/nprobe/plugins
17/Dec/2015 18:36:29 [nprobe.c:4488] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
17/Dec/2015 18:36:29 [nprobe.c:4491] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
17/Dec/2015 18:36:29 [nprobe.c:4552] Welcome to nProbe Pro v.7.2.151211 ($Revision: 4471 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration
17/Dec/2015 18:36:29 [nprobe.c:4562] Running on CentOS release 6.6 (Final)
17/Dec/2015 18:36:29 [nprobe.c:4573] [LICENSE] nProbe SystemId: 76A0E91411B1B8A2
17/Dec/2015 18:36:29 [nprobe.c:4653] Dumping flow files every 60 sec into directory /tmp/flows
17/Dec/2015 18:36:29 [nprobe.c:4658] WARNING: -n parameter is missing. 127.0.0.1:2055 will be used.
17/Dec/2015 18:36:29 [dbPlugin.c:49] Initializing DB plugin
17/Dec/2015 18:36:29 [exportPlugin.c:239] Initializing Export plugin
17/Dec/2015 18:36:29 [nprobe.c:6526] Welcome to nprobe v.7.2.151211 for x86_64-unknown-linux-gnu
17/Dec/2015 18:36:29 [nprobe.c:5789] Using NetFlow Packet Payload Len: 1472
17/Dec/2015 18:36:29 [plugin.c:1000] 0 plugin(s) enabled
17/Dec/2015 18:36:29 [nprobe.c:6183] Each flow is 54 bytes long
17/Dec/2015 18:36:29 [nprobe.c:6184] The # packets per flow has been set to 26
17/Dec/2015 18:36:29 [nprobe.c:6203] Non IPv4/v6 traffic is discarded according to the template
17/Dec/2015 18:36:29 [util.c:287] GeoIP: loaded AS config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat
17/Dec/2015 18:36:29 [util.c:296] GeoIP: loaded AS IPv6 config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat
17/Dec/2015 18:36:29 [nprobe.c:5121] Using packet capture length 128
17/Dec/2015 18:36:29 [pro/pf_ring.c:358] Using PF_RING in-kernel accelerated packet parsing
17/Dec/2015 18:36:29 [pro/pf_ring.c:362] Dumping traffic statistics on /proc/net/pf_ring/stats/28920-eth1.61
17/Dec/2015 18:36:29 [nprobe.c:6834] Smart fragment rebuild enabled (no fragments are rebuilt)
17/Dec/2015 18:36:29 [nprobe.c:6837] Enabled tunnel decoding (e.g. IPSEC/GTP)
17/Dec/2015 18:36:29 [util.c:2919] nProbe changed user to 'nobody'
17/Dec/2015 18:36:29 [nprobe.c:7035] nProbe started successfully
17/Dec/2015 18:36:29 [pro/pf_ring.c:172] [PF_RING] Reading packets in 0 copy mode
17/Dec/2015 18:37:03 [engine.c:2163] WARNING: Too many (524288) active flows [threadId=0][limit=524288] (see -M)
^C17/Dec/2015 18:37:28 [cache.c:1200] Redis Cache [0 total/0.0 get/sec][0 total/0.0 set/sec]
17/Dec/2015 18:37:28 [nprobe.c:386] Received shutdown request... [signal: 2]
17/Dec/2015 18:37:28 [pro/pf_ring.c:300] Terminated PF_RING packet processing
17/Dec/2015 18:37:28 [nprobe.c:4722] Waiting for PF_RING termination
17/Dec/2015 18:37:28 [nprobe.c:4731] PF_RING terminated
17/Dec/2015 18:37:28 [engine.c:2673] About to flush hash (threadId 0)
17/Dec/2015 18:37:29 [engine.c:2675] Completed hash walk (thread 0)
17/Dec/2015 18:37:29 [export.c:380] ERROR: ***************************************************************************
17/Dec/2015 18:37:29 [export.c:381] ERROR: * NOTE: You have reached the max demo 25000 flows export: no more exports *
17/Dec/2015 18:37:29 [export.c:383] ERROR: * NOTE: no additional flows will be exported by this nProbe instance      *
17/Dec/2015 18:37:29 [export.c:384] ERROR: ***************************************************************************
17/Dec/2015 18:37:32 [cache.c:1200] Redis Cache [0 total/0.0 get/sec][0 total/0.0 set/sec]
17/Dec/2015 18:37:32 [nprobe.c:2457] Processed packets: 4415181 (max bucket search: 16)
17/Dec/2015 18:37:32 [nprobe.c:2440] Fragment queue length: 0
17/Dec/2015 18:37:32 [nprobe.c:2463] WARNING: Your bucket search is too slow (16): expect drops
17/Dec/2015 18:37:32 [nprobe.c:2466] Flow export stats: [1055151133 bytes/1728265 pkts][25001 flows/1150 pkts sent]
17/Dec/2015 18:37:32 [nprobe.c:2476] Flow drop stats:   [8300751 bytes/25458 pkts][12288 flows]
17/Dec/2015 18:37:32 [nprobe.c:2481] Total flow stats:  [1063451884 bytes/1753723 pkts][37289 flows/1150 pkts sent]

When I compare with what I get in a pcap, I can see that in my pcap file I almost don't get any packet

Is there a performance issue (it doesn't seem so, CPU stays low) ? Is there a fix somewhere, or did I miss something ?

In attachment, a pcap file which corresponds to the traffic.

Thank you very much, Regards, Grégoire

ntop / nProbe

--tunnel option partially applied #18