From tyler.schoenke at colorado.edu Mon Nov 25 09:57:08 2013 From: tyler.schoenke at colorado.edu (Tyler T. Schoenke) Date: Mon, 25 Nov 2013 10:57:08 -0700 Subject: [TM] 802.1q trunks and time machine Message-ID: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A847FC@EXC2.ad.colorado.edu> Hi, My time machine indexes aren't working, and I suspect it is due to the 802.1q trunk that the traffic is encapsulated in. How are people dealing with trunk encapsulation? Are you stripping it off before it is fed to time machine? Thanks, Tyler -- -- Tyler Schoenke Network Security Program Manager IT Security Office University of Colorado at Boulder -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/time-machine/attachments/20131125/77cbd5dc/attachment.html From asharma at lbl.gov Mon Nov 25 10:16:09 2013 From: asharma at lbl.gov (Aashish Sharma) Date: Mon, 25 Nov 2013 10:16:09 -0800 Subject: [TM] 802.1q trunks and time machine In-Reply-To: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A847FC@EXC2.ad.colorado.edu> References: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A847FC@EXC2.ad.colorado.edu> Message-ID: <20131125181607.GB31731@yaksha.lbl.gov> Hello Tyler, While I have indexes disabled at the moment, this is how I have configured an instance of the tm.conf (may be you already have similar setup): class "dns" { filter "vlan and port 53"; ... .. .. .. } Does this help ? Aashish On Mon, Nov 25, 2013 at 10:57:08AM -0700, Tyler T. Schoenke wrote: > > Hi, > > > My time machine indexes aren?t working, and I suspect it is due to the > 802.1q trunk that the traffic is encapsulated in. How are people dealing > with trunk encapsulation? Are you stripping it off before it is fed to > time machine? > Thanks, > > > Tyler > > > -- > > -- > > Tyler Schoenke > > Network Security Program Manager > > IT Security Office > > University of Colorado at Boulder > _______________________________________________ > Time-Machine mailing list > Time-Machine at mailman.ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/time-machine -- Aashish Sharma (asharma at lbl.gov) Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://go.lbl.gov/pgp-aashish Office: (510)-495-2680 Cell: (510)-457-1525 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/time-machine/attachments/20131125/9fcf1706/attachment.bin From tyler.schoenke at colorado.edu Mon Nov 25 19:47:24 2013 From: tyler.schoenke at colorado.edu (Tyler T. Schoenke) Date: Mon, 25 Nov 2013 20:47:24 -0700 Subject: [TM] 802.1q trunks and time machine In-Reply-To: <20131125181607.GB31731@yaksha.lbl.gov> References: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A847FC@EXC2.ad.colorado.edu> <20131125181607.GB31731@yaksha.lbl.gov> Message-ID: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A848F8@EXC2.ad.colorado.edu> Hi Aashish, I just tried the BPF filter you suggested, but looks like indexes are still not working. If I run the following, I will see traffic in one of the class_* (pcap formatted) files: tcpdump -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198" When I try to telnet 42042 and dump against the index for the same IP address, it results in an empty file. Example: query to_file "128.138.44.198.pcap" index ip "128.138.44.198" I can usually tell timemachine is done writing to the output file because it switches from 0 bytes to 24 bytes with 24 bytes indicating it didn't find anything. On a side note, when I add the -e to tcpdump, I can see the class_* files contain the vlan tagging data. I had a student test against time machine running in a VM, and indexing worked fine, but I think he as picking up non-trunked packets. I suspect the vlan tagging is causing some problem with indexing. I guess I can just do what you are doing and skip using the indexes. Having Time Machine running without indexes is still better than not having it running. Tyler -----Original Message----- From: Aashish Sharma [mailto:asharma at lbl.gov] Sent: Monday, November 25, 2013 11:16 AM To: Tyler T. Schoenke Cc: time-machine at ICSI.Berkeley.EDU Subject: Re: [TM] 802.1q trunks and time machine * PGP Signed by an unknown key Hello Tyler, While I have indexes disabled at the moment, this is how I have configured an instance of the tm.conf (may be you already have similar setup): class "dns" { filter "vlan and port 53"; ... .. .. .. } Does this help ? Aashish On Mon, Nov 25, 2013 at 10:57:08AM -0700, Tyler T. Schoenke wrote: > > Hi, > > > My time machine indexes aren?t working, and I suspect it is due to the > 802.1q trunk that the traffic is encapsulated in. How are people dealing > with trunk encapsulation? Are you stripping it off before it is fed to > time machine? > Thanks, > > > Tyler > > > -- > > -- > > Tyler Schoenke > > Network Security Program Manager > > IT Security Office > > University of Colorado at Boulder > _______________________________________________ > Time-Machine mailing list > Time-Machine at mailman.ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/time-machine -- Aashish Sharma (asharma at lbl.gov) Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://go.lbl.gov/pgp-aashish Office: (510)-495-2680 Cell: (510)-457-1525 * Unknown Key * 0xE07251D6 From asharma at lbl.gov Tue Nov 26 07:41:35 2013 From: asharma at lbl.gov (Aashish Sharma) Date: Tue, 26 Nov 2013 07:41:35 -0800 Subject: [TM] 802.1q trunks and time machine In-Reply-To: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A848F8@EXC2.ad.colorado.edu> References: <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A847FC@EXC2.ad.colorado.edu> <20131125181607.GB31731@yaksha.lbl.gov> <0AA5D924DE90AF48BBD563CCD296B8FB010AA9A848F8@EXC2.ad.colorado.edu> Message-ID: <20131126154133.GF6888@yaksha.lbl.gov> HI Tyler, Can you please file a ticket about this: https://bro-tracker.atlassian.net/browse/TM Thanks, Aashish On Mon, Nov 25, 2013 at 08:47:24PM -0700, Tyler T. Schoenke wrote: > Hi Aashish, > > I just tried the BPF filter you suggested, but looks like indexes are still not working. > > If I run the following, I will see traffic in one of the class_* (pcap formatted) files: > tcpdump -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198" > > When I try to telnet 42042 and dump against the index for the same IP address, it results in an empty file. Example: > > query to_file "128.138.44.198.pcap" index ip "128.138.44.198" > > I can usually tell timemachine is done writing to the output file because it switches from 0 bytes to 24 bytes with 24 bytes indicating it didn't find anything. > > On a side note, when I add the -e to tcpdump, I can see the class_* files contain the vlan tagging data. > > I had a student test against time machine running in a VM, and indexing worked fine, but I think he as picking up non-trunked packets. > > I suspect the vlan tagging is causing some problem with indexing. I guess I can just do what you are doing and skip using the indexes. Having Time Machine running without indexes is still better than not having it running. > > Tyler > > -----Original Message----- > From: Aashish Sharma [mailto:asharma at lbl.gov] > Sent: Monday, November 25, 2013 11:16 AM > To: Tyler T. Schoenke > Cc: time-machine at ICSI.Berkeley.EDU > Subject: Re: [TM] 802.1q trunks and time machine > > * PGP Signed by an unknown key > > Hello Tyler, > > While I have indexes disabled at the moment, this is how I have configured an instance of the tm.conf (may be you already have similar setup): > > class "dns" { > filter "vlan and port 53"; > ... > .. > .. > .. > } > > Does this help ? > > Aashish > > On Mon, Nov 25, 2013 at 10:57:08AM -0700, Tyler T. Schoenke wrote: > > > > Hi, > > > > > > My time machine indexes aren?t working, and I suspect it is due to the > > 802.1q trunk that the traffic is encapsulated in. How are people dealing > > with trunk encapsulation? Are you stripping it off before it is fed to > > time machine? > > Thanks, > > > > > > Tyler > > > > > > -- > > > > -- > > > > Tyler Schoenke > > > > Network Security Program Manager > > > > IT Security Office > > > > University of Colorado at Boulder > > > _______________________________________________ > > Time-Machine mailing list > > Time-Machine at mailman.ICSI.Berkeley.EDU > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/time-machine > > > -- > Aashish Sharma (asharma at lbl.gov) > Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://go.lbl.gov/pgp-aashish > Office: (510)-495-2680 Cell: (510)-457-1525 > > * Unknown Key > * 0xE07251D6 -- Aashish Sharma (asharma at lbl.gov) Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://go.lbl.gov/pgp-aashish Office: (510)-495-2680 Cell: (510)-457-1525 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/time-machine/attachments/20131126/fdf364fa/attachment.bin