netsniff-ng drops packets

127 views
Skip to first unread message

Irek Wlizlo

unread,
May 27, 2013, 7:17:08 AM5/27/13
to netsn...@googlegroups.com
Hi All,
I have strange situation and I'm looking for help.

I have two systems one with RHEL 6.3
2.6.32-279.9.1.el6.x86_64 #1 SMP Fri Aug 31 09:04:24 EDT 2012 x86_64 x86_64
x86_64 GNU/Linux
with netsniff from centos/epel repositories
netsniff-ng 0.5.5.0, netsniff-ng-0.5.5.0-2.el6.src.rpm

second one is the:
Grml Live Linux , version grml32-full_2013.02.iso
Linux 3.7-1-grml-486 #1 Debian 3.7.9-1+grml.1 i686 GNU/Linux
netsniff-ng 0.5.7

On the grml linux server everything is working fine, no drops.

but on the RHEL I got drops.

/usr/sbin/netsniff\-ng -d eth0 -p oooo.pcap -s
netsniff-ng 0.5.5.0 -- pid (20971)

nice (0), scheduler (0 prio 0)
8 of 8 CPUs online, affinity bitstring (10000000)

No filter applied. Switching to `all traffic`.

100.00 MB allocated for receive ring
[ 6400 blocks, 51200 frames ]
[ 8 frames per block ]
[ framesize: 2048 bytes, blocksize: 16384 bytes ]

--- Listening ---

Receive ring dumping ... |^Ccaught SIGINT!

Got SIGINT here!
67134 frames incoming
51201 frames passed filter
15933 frames failed filter (due to out of space)

capture file gets size 52910017 May 27 11:23 oooo.pcap
each try this sizes differ but still stays about 60M.

I connect with gdb to netsniff-ng process to see on what is hangs and I see:

#1 0x00000000004063a0 in fetch_packets (sd=0x7fff845f44a0, sock=4,
rb=0x1259050)
at rx_ring.c:300
300 while ((ret = poll(&pfd, 1, sd->blocking_mode)) <= 0) {
(gdb) s
Single stepping until exit from function poll,
which has no line number information.


The traffic I sniff in this test is ftp session ( ~ 90Mbits).

Maybe you can help me with finding the root of this issue ?

Is any system tuning needed to avoid such issue?


Thanks and Regards.
Irek

Daniel Borkmann

unread,
May 27, 2013, 7:40:40 AM5/27/13
to netsn...@googlegroups.com, Irek Wlizlo
Hi Irek,

On 05/27/2013 01:17 PM, Irek Wlizlo wrote:

> I have strange situation and I'm looking for help.
>
> I have two systems one with RHEL 6.3
> 2.6.32-279.9.1.el6.x86_64 #1 SMP Fri Aug 31 09:04:24 EDT 2012 x86_64 x86_64
> x86_64 GNU/Linux
> with netsniff from centos/epel repositories
> netsniff-ng 0.5.5.0, netsniff-ng-0.5.5.0-2.el6.src.rpm
>
> second one is the:
> Grml Live Linux , version grml32-full_2013.02.iso
> Linux 3.7-1-grml-486 #1 Debian 3.7.9-1+grml.1 i686 GNU/Linux
> netsniff-ng 0.5.7
>
> On the grml linux server everything is working fine, no drops.
>
> but on the RHEL I got drops.

Can you try getting the latest version via

git clone git://github.com/borkmann/netsniff-ng.git

and see if it can be reproduced? Also, the upstream netsniff-ng has
*a lot* more features than what you currently use.

A lot has happened since then and a new release will appear in less
than a month.

Let me know.

Thanks,

Daniel

Irek Wlizlo

unread,
May 27, 2013, 9:01:57 AM5/27/13
to netsn...@googlegroups.com
Hi Daniel,
I finally build latest (0.5.7) version from source on my system and repeat
the test.

You are right it's much more better :)

I mean now I captured 8GB of data and no drops occurs. I assume that my
issue was fixed it latest version , somehow.


By the way I have question is it possible to build only one tool from source ?

I'm asking because I'd like to build sniffer only not other stuff but now I
heave to download all missing libraries needed by other tools. Is there a
way to build tools separately ?

Thanks,
Irek

Daniel Borkmann

unread,
May 27, 2013, 9:14:09 AM5/27/13
to netsn...@googlegroups.com, Irek Wlizlo
On 05/27/2013 03:01 PM, Irek Wlizlo wrote:
> Daniel Borkmann <borkmann@...> writes:
>> On 05/27/2013 01:17 PM, Irek Wlizlo wrote:
[...]
> I finally build latest (0.5.7) version from source on my system and repeat
> the test.

Hm, you mean 0.5.8-rc0 from Git what I suggested, right?

> You are right it's much more better :)
>
> I mean now I captured 8GB of data and no drops occurs. I assume that my
> issue was fixed it latest version , somehow.
>
> By the way I have question is it possible to build only one tool from source ?

Yes:

git clone git://github.com/borkmann/netsniff-ng.git
cd netsniff-ng/
make netsniff-ng
make netsniff-ng_install

In the Git tree there's also a comprehensive netsniff-ng man page.

> I'm asking because I'd like to build sniffer only not other stuff but now I
> heave to download all missing libraries needed by other tools. Is there a
> way to build tools separately ?

Yep, see above.

Irek Wlizlo

unread,
May 28, 2013, 4:22:07 AM5/28/13
to netsn...@googlegroups.com
Hi Daniel,

Daniel Borkmann <dborkman@...> writes:

>
> On 05/27/2013 03:01 PM, Irek Wlizlo wrote:
> > Daniel Borkmann <borkmann <at> ...> writes:
> >> On 05/27/2013 01:17 PM, Irek Wlizlo wrote:
>[..]

>
> Yes:
>
> git clone git://github.com/borkmann/netsniff-ng.git
> cd netsniff-ng/
> make netsniff-ng
> make netsniff-ng_install
>

Now I'm trying to build from git source. It seems I very close but not finish ;)

I got the message:

make netsniff-ng
Building netsniff-ng:
CC geoip.c
geoip.c:40: error: 'GEOIP_CITY_EDITION_REV1_V6' undeclared here (not in a
function)
geoip.c:40: error: array index in initializer not of integer type
geoip.c:40: error: (near initialization for 'files')
geoip.c:64: error: 'GEOIP_ASNUM_EDITION_V6' undeclared here (not in a function)
geoip.c:64: error: array index in initializer not of integer type
geoip.c:64: error: (near initialization for 'files')
geoip.c:76: warning: missing initializer
geoip.c:76: warning: (near initialization for 'empty.country_code3')
cc1: warning: unrecognized command line option "-Wno-unused-result"
make: *** [netsniff-ng/geoip.o] Error 1


rpm -aq gc*
gcc-c++-4.4.6-4.el6.x86_64
gcc-gfortran-4.4.6-4.el6.x86_64
gcc-4.4.6-4.el6.x86_64


and honestly speaking I have no idea how to fix it.

Do you have any suggestion ?

Thanks
Irek





Daniel Borkmann

unread,
May 28, 2013, 4:35:16 AM5/28/13
to netsn...@googlegroups.com, Irek Wlizlo
On 05/28/2013 10:22 AM, Irek Wlizlo wrote:
> Hi Daniel,
>
> Daniel Borkmann <dborkman@...> writes:
>
>>
>> On 05/27/2013 03:01 PM, Irek Wlizlo wrote:
>>> Daniel Borkmann <borkmann <at> ...> writes:
>>>> On 05/27/2013 01:17 PM, Irek Wlizlo wrote:
>> [..]
>
>>
>> Yes:
>>
>> git clone git://github.com/borkmann/netsniff-ng.git
>> cd netsniff-ng/
>> make netsniff-ng
>> make netsniff-ng_install
>
> Now I'm trying to build from git source. It seems I very close but not finish ;)

You need (probably your distro doesn't ship it):

wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
tar -zxvf GeoIP-1.4.8.tar.gz
cd GeoIP-1.4.8
./configure
make
make install
ldconfig

And then try it once again to build netsniff-ng.

Irek Wlizlo

unread,
May 28, 2013, 8:27:40 AM5/28/13
to netsn...@googlegroups.com
Hi,
Daniel Borkmann <borkmann@...> writes:

>
> On 05/28/2013 10:22 AM, Irek Wlizlo wrote:
> > Hi Daniel,
> >
> > Daniel Borkmann <dborkman <at> ...> writes:
> >
> >>
> >> On 05/27/2013 03:01 PM, Irek Wlizlo wrote:
> >>> Daniel Borkmann <borkmann <at> ...> writes:
> >>>> On 05/27/2013 01:17 PM, Irek Wlizlo wr
[...]
>
> You need (probably your distro doesn't ship it):
>
> wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
> tar -zxvf GeoIP-1.4.8.tar.gz
> cd GeoIP-1.4.8
> ./configure
> make
> make install
> ldconfig
>
> And then try it once again to build netsniff-ng.
>
[..]
It helps :) I downloaded new version and compilation pass. Now I'm going to
test it in lab.

By the way is it possible to disable geoip feature from netsniff ?

Thanks
Irek

Daniel Borkmann

unread,
May 28, 2013, 8:39:23 AM5/28/13
to netsn...@googlegroups.com, Irek Wlizlo
On 05/28/2013 02:27 PM, Irek Wlizlo wrote:

> By the way is it possible to disable geoip feature from netsniff ?

Unfortunately, currently not. But this may well be changed in future, it's
in our todo queue.

Thanks,

Daniel
Reply all
Reply to author
Forward
0 new messages