search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.18k stars 648 forks source link

MAC address based traffic direction not working following the yum update to ntop v.5.1.210929 #5941

Closed 612wong closed 2 years ago

612wong commented 2 years ago

The MAC address based traffic direction was working fine for me until yesterday afternoon I ran to update the package for the netflow deployment with nprobe.

There was no changes made to the Interface where MAC address based traffic direction was in use.

simonemainardi commented 2 years ago

Explain "not working". Report screenshots and configuration.

612wong commented 2 years ago

Not working means both TX & RX traffic is now combined into RX series. The MAC address of the remote-end wasn't changed before and after the package upgrade. I tried to use the MAC address of the local WAN interface in the field and then restarted ntopng but the TX & RX traffic wasn't seggregated.

interface traffic and setting

timestemp (utc) since bytes_sent has been 'back' to zero

> select * from "iface:traffic_rxtx" where ifid='4' and bytes_sent=0 and time > now()-7d order by time asc limit 10
name: iface:traffic_rxtx
time                 bytes_rcvd bytes_sent ifid
----                 ---------- ---------- ----
2021-09-29T04:02:40Z 1480760    0          4
2021-09-29T04:02:41Z 1480760    0          4
2021-09-29T04:02:42Z 1588009    0          4
2021-09-29T04:02:43Z 1777552    0          4
2021-09-29T04:02:44Z 1880827    0          4
2021-09-29T04:02:45Z 1992212    0          4
2021-09-29T04:02:46Z 2052902    0          4
2021-09-29T04:02:47Z 2141747    0          4
2021-09-29T04:02:48Z 2286092    0          4
2021-09-29T04:02:49Z 2358205    0          4
>

timestamp (utc) before bytes-sent has been 'back' to zero

> select * from "iface:traffic_rxtx" where ifid='4' and bytes_sent!=0 and time > now()-7d order by time desc limit 10
name: iface:traffic_rxtx
time                 bytes_rcvd    bytes_sent   ifid
----                 ----------    ----------   ----
2021-09-29T04:02:20Z 3067471591177 117152865659 4
2021-09-29T04:02:19Z 3067471538732 117152864229 4
2021-09-29T04:02:18Z 3067471398655 117152856110 4
2021-09-29T04:02:17Z 3067471272777 117152843528 4
2021-09-29T04:02:16Z 3067470522514 117152812102 4
2021-09-29T04:02:15Z 3067469684121 117152785618 4
2021-09-29T04:02:14Z 3067469287163 117152766808 4
2021-09-29T04:02:13Z 3067468956158 117152740658 4
2021-09-29T04:02:12Z 3067467689962 117152676014 4
2021-09-29T04:02:11Z 3067467095646 117152646723 4
>

The 20s gap was due to the downtime of ntopng during the package upgrade.

simonemainardi commented 2 years ago

Please, attach the ntopng configuration used. You mentioned nProbe but then it seems to me you are capturing from a mirror port.

612wong commented 2 years ago

I just want to include all information that may contribute to the root cause.

The ntopng configuration is pretty straightforward as the following ntopng.conf.

-d=/local/ntopng -F nindex -G=/var/run/ntopng.pid -i=et1 -i=et2 -i tcp://127.0.0.1:9995 -m=10.65.0.0/16,10.165.0.0/16 -n=1 -p /var/lib/ntopng/protos.txt -w=80

simonemainardi commented 2 years ago

Can you please check if this is solved in the latest build?

612wong commented 2 years ago

Hi Simone,

I’m running the dev release and it’s still showing traffic in one direction only.

Do you need more information?

Thanks, Tung

From: Simone Mainardi @.> Sent: Saturday, 25 December 2021 2:44 AM To: ntop/ntopng @.> Cc: Tung Ho Wong @.>; Author @.> Subject: Re: [ntop/ntopng] MAC address based traffic direction not working following the yum update to ntop v.5.1.210929 (#5941)

Can you please check if this is solved in the latest build?

— Reply to this email directly, view it on GitHubhttps://github.com/ntop/ntopng/issues/5941#issuecomment-1000880733, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN6UFIKCVN5WVFBPETQE4KTUSSIKPANCNFSM5FBSB23Q. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you authored the thread.Message ID: @.***>

---- MAKO ---- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by email and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Mako Group. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action with respect to the contents of this information is strictly prohibited. Finally, the recipient should check this email and any attachments for the presence of viruses. The Mako Group accepts no liability for any damage caused by any virus transmitted by this email. For important disclosures please see http://www.mako.com/uk-regulatory-notice/

612wong commented 2 years ago

I would like to confirm the issue's gone/fixed in 5.3.220609 to which I have updated it.