Can not detect any packet in PF_RING ?

[tonytan4ever]

I am trying to set up Fastnetmon and a couple of Ubuntu docker containers to play with it, the fastnetmon (with PF_RING plugin) just doesn't capture any packet:

My network is:

And I added: 10.208.224.0/19 to my /etc/networks_list and tried: 172.17.42.0/16 Did not work either.

Any insights ? Thanks!

[pavel-odintsov]

Howdy!

Could you share your /etc/fastnetmon.conf and /var/log/fastnetmon.log? You could send this data directly to me: pavel.odintsov@gmail.com

[tonytan4ever]

This is the content of /etc/fastnentmon.conf

###
### Main configuration params
###

# Enable/Disable any actions in case of attack
enable_ban = on

# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on

# How much packets we will collect from attack's traffic
ban_details_records_count = 500

# How long we should stay IP in blocked state
# If you set 0 here it completely disables unban capability
ban_time = 1900

# With this variable you could enable per subnet speed meters
# For each subnet from subnet list we will track speed in bps and pps for both directions
enable_subnet_counters = off

# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list

# In this file you could list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist

# How often we redraw client's screen
check_period = 1

# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
enable_connection_tracking = off

# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off

# Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500

###
### Traffic capture methods
###

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off

# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
netflow = on
# sFLOW capture suitable for switches
sflow = on

# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed    for 10GE
enable_pf_ring_zc_mode = on

# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces = docker0,eth0,eth1,vethc491
interfaces = docker0,eth0,eth1,vethc491

# We use average values for traffic speed to certain IP and we calculate average over this time slice
average_calculation_time = 5

# We use average values for traffic speed for subnet and we calculate average over this time slice
average_calculation_time_for_subnets = 20

# Netflow configuration
netflow_port = 2055
netflow_host = 0.0.0.0

# For bind to all interfaces = docker0,eth0,eth1,vethc491
# For bind to all interfaces = docker0,eth0,eth1,vethc491
# For bind to localhost for specific protocol:      ::1 or 127.0.0.1

# Netflow agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all agents
netflow_sampling_ratio = 1

# sFLOW configuration
sflow_port = 6343
sflow_host = 0.0.0.0

###
### Actions when attack detected
###

# This script executed for ban, unban and atatck detailes collection
notify_script_path = /usr/local/bin/notify_about_attack.sh

# We could put attack details to Redis
redis_enabled = no

# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1

# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114

# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = no

# Graphite monitoring
graphite = off
graphite_host = 127.0.0.1
graphite_port = 2003

# With this option enabled we could add local IP addresses and aliases to monitoring list
# Works only for Linux
monitor_local_ip_addresses = on

###
### Client configuration
###

# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters 
max_ips_in_list = 7

And this is the /var/fastnetmon.log file: https://www.dropbox.com/s/a3l3jpi3fc66j6o/fastnetmon.log?dl=0

Thanks a lot!

[pavel-odintsov]

Hello!

You have disabled capture from mirror:

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

And you will have significant issues with PF_RING because it require kernel module and we can build it correctly with Docker.

You could try KVM VM or ESXi or run FastNetMon on bare metal

[tonytan4ever]

Hi: Thanks a lot for your reply. Now I have capture from mirror set to on, but I can't start fastnetmon. I got this from the log:

 2015-07-30 15:19:52,988 [INFO] We selected interface:docker0,eth0,eth1,vethc491
2015-07-30 15:19:52,988 [INFO] Run banlist cleanup thread
2015-07-30 15:19:52,989 [INFO] We have: 1 logical cpus in this server
2015-07-30 15:19:52,989 [INFO] We will start 0 worker threads
2015-07-30 15:19:53,100 [INFO] We got max packet len from device: 1536
2015-07-30 15:19:53,101 [INFO] We will use total number of ZC buffers: 32776
2015-07-30 15:19:53,204 [INFO] pfring_zc_create_cluster error: No buffer space available Please     check that pf_ring.ko is loaded and hugetlb fs is mounted
2015-07-30 15:19:53,205 [ERROR] PF_RING initilization failed, exit from programm

I have had the pf_ring.ko module loaded by:

$ sudo insmod <my_PF_RING_SRC_FOLDER>/kernel/pf_ring.ko transparent_mode=1 min_num_slots=1 enable_tx_capture=1 enable_ip_defrag=1 quick_mode=0

And hugetlb fs is mounted as well:

$ cat /proc/filesystems
nodev   sysfs
nodev   rootfs
nodev   ramfs
nodev   bdev
nodev   proc
nodev   cgroup
nodev   cpuset
nodev   tmpfs
nodev   devtmpfs
nodev   debugfs
nodev   securityfs
nodev   sockfs 
nodev   pipefs
nodev   anon_inodefs
nodev   devpts
    ext3
    ext2
    ext4
nodev   hugetlbfs
   vfat

Any ideas ? Could this be because of my machine :

description: Computer width: 64 bits capabilities: ldt16 vsyscall32 -core description: Motherboard physical id: 0 -memory description: System memory physical id: 0 size: 989MiB *-cpu product: Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz vendor: Intel Corp. physical id: 1 bus info: cpu@0 width: 64 bits

Thanks.

[pavel-odintsov]

Do you want PF_RING vanilla or PF_RING ZC (paid and need license) ?

[tonytan4ever]

PF_RING vanilla is fine for me. Any configuration I need to set ?

[pavel-odintsov]

Just switch off this trigger:

enable_pf_ring_zc_mode = off

[tonytan4ever]

Hi: Thanks. I now get it working with PF_RING. But still the ip address eating incoming traffic is not showing up in client, how can I fix this:

Am I missing any configuration ?

[pavel-odintsov]

Could you flood with hping? Ping generates is too small amount of traffic.

[tonytan4ever]

Tried with hping, packages are captured, but the ip is still not showing up, :/

[pavel-odintsov]

Could you try to enable promisc mode for mirror interface?

On Thursday, July 30, 2015, Tony Tan notifications@github.com wrote:

Tried with hping, packages are captured, but the ip is still not showing up, :/ [image: screen shot 2015-07-30 at 3 48 25 pm 3] https://cloud.githubusercontent.com/assets/1202903/8993356/80f5301e-36d2-11e5-81d6-44b03faa1c11.png

— Reply to this email directly or view it on GitHub https://github.com/FastVPSEestiOu/fastnetmon/issues/344#issuecomment-126453425 .

Sincerely yours, Pavel Odintsov

[tonytan4ever]

Tried set it on and it does not work:

$ sudo ip link set docker0 promisc on

[pavel-odintsov]

Hm... could you try to run full packets dump with flag:

DUMP_ALL_PACKETS=yes ./fastnetmon

And send new log file to me?

[pavel-odintsov]

I caught this bug but there are some problems here. If we run with Docker we completely disable PF_RING compilation and you haven't this code.

[pavel-odintsov]

Hello!

Please open downlaoded fastnetmon_install.pl and remove following lines:

if (-e "/.dockerinit") {
    # On Docker we can't build kernel modules
    $we_could_install_kernel_modules = 0;
}

And run it. It could work correctly.

[tonytan4ever]

Hi Thanks for your help. After I reinstalled and test with it, now it works:

I am closing this issue.