Closed Retenodus closed 8 years ago
I have made a fix that I hope addresses the issue reported. A new nprobe build is in progress and it will be available within a hour.
Hello,
Indeed, I tried with nprobe-7.3.151221-4749.x86_64 and it seems to work well :)
Thank you, Regards, Grégoire
Hello,
I want to test nprobe stable on CentOS6 (v.7.2.151211) and I have an issue with nprobe and L2TP tunnelled traffic. Here is the command I launch :
I'd expect to get records like
I get some of them, but most of my records are not correctly decapsulated and I usually get records like that :
As you can see, L4_SRC_PORT and L4_DST_PORT are correctly decapsulated. However, I neither get the tunneled IP address or the tunnel informations (I obfuscated IP informations, replacing them with IP_IN_TUNNEL and L2TP_IP). ~75% of flows are concerned.
I am pretty sure the problem comes from the decapsulation and it's not a false positive as if it was, src port and dest port would be 1701.
When I try to use it in debug mode I get a segfault (which I don't get without the --tunnel option). :
The output without --debug :
When I compare with what I get in a pcap, I can see that in my pcap file I almost don't get any packet
Is there a performance issue (it doesn't seem so, CPU stays low) ? Is there a fix somewhere, or did I miss something ?
In attachment, a pcap file which corresponds to the traffic.
Thank you very much, Regards, Grégoire