Unable to run ntop in container due to too many interfaces?

[unixbird]

Environment:

• OS name: Debian (but running this in Kubernetes 1.29)
• OS version: 12
• Architecture: amd64
• ntopng version/revision: stable container tag

What happened: When attempting to run ntopng container I get a crash. Was discussed in the Telegram group that it could be possibly be related to having 50+ interfaces thanks to kubernetes. This has worked before when I had much fewer containers running. I also attempted to just run the container with the vmbr0 interface (bridged interface that all traffic goes through anyway) and get a permission error even though I run it with full root capabilities.

How did you reproduce it? Running with either --community or the string ["--community", "-i vmbr0 -s"] yields different issues but overall ntop does not work

Debug Information: When running with the -i vmbr0

When just running --community: ntop.txt

(replaced all instances of my ipv4 and ipv6 with "notmyip")

[MatteoBiscosi]

Hi @unixbird the number of interfaces is bounded to the license, at most with a community license you can capture up to 8 interfaces. If you run ntopng with just --community ntopng automatically tries to capture from all interfaces (bringing the error you have). I suggest on capturing the traffic only on the interfaces you want to capture by adding the -i option. With the -i option it seems instead the problem could arise just in 2 cases:

• the interface you added does not exists in the container (so try to check out if you have that interface on the container)
• you do not have the sudo privileges to capture from that interface

So please add the interfaces you want to capture (up to 8) and check if you have the sudo privileges when running ntopng

[unixbird]

Hi @unixbird the number of interfaces is bounded to the license, at most with a community license you can capture up to 8 interfaces. If you run ntopng with just --community ntopng automatically tries to capture from all interfaces (bringing the error you have). I suggest on capturing the traffic only on the interfaces you want to capture by adding the -i option. With the -i option it seems instead the problem could arise just in 2 cases:

• the interface you added does not exists in the container (so try to check out if you have that interface on the container)
• you do not have the sudo privileges to capture from that interface

So please add the interfaces you want to capture (up to 8) and check if you have the sudo privileges when running ntopng

I gave the container full root access to test and whenever I let it find all interfaces it does find the vmbr0 interface but if i specify -i it no longer works which is what confuses me the most

[cardigliano]

@unixbird what you are reporting is strange actually, are you able to ssh to the container and send the output of ifconfig to double check?

[unixbird]

@cardigliano running ifconfig returns all of the interfaces (which I didn't include) and it finds the vmbr0 interface.

[unixbird]

Made a mistake in the version of ntop. I use the stable tag not the latest.

[cardigliano]

Could you check dmesg to see if there is any message? Btw, please note you probably do not have PF_RING installed on the host system, as it is falling back to PCAP capture. Then ntopng is failing also in PCAP mode, it may be related to capabilities as the interface looks correct.

[unixbird]

This is all I see in dmesg. I also did install pf_ring on the host at one point and that didn't seem to do much.

To test I also ran the pfring container alongside this and got this: (this is the parent interface of the bridge vmbr0 as I wanted to make sure but I get the same error whether its vmbr0 or eno1)