[Bro-Dev] [JIRA] (TM-16) Index not working when traffic encapsulated in 802.1q trunk

tyler.schoenke (JIRA) jira at bro-tracker.atlassian.net
Mon Feb 24 08:19:19 PST 2014 

    [ https://bro-tracker.atlassian.net/browse/TM-16?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15600#comment-15600 ] 

tyler.schoenke commented on TM-16:
----------------------------------

Hi Marek,

I applied the patch, and TM appears to have stopped processing all traffic.  I haven't seen any class_ files created since I restarted after the patch.  The classes.timemachine.log shows no traffic being processed.  The timemachine.log shows large numbers of dropped packets.  Are there any configuration changes that I need to make?

Here is a snippet of timemachine.log
1392643850.162819 main: TimeMachine version 0.1-4
1392643850.205792 main: Forking Daemon
1392643850.451616 main: capture started, capture thread
1392643850.452585 main: Index aggregation thread started
1392643850.452748 main: WARNING: Broccoli support not compiled in.

1392643850.452820 rmtconsole: socket ready, listening on port 42042
1392643850.534348 DROP: we dropped packets: 29181
1392644450.534820 DROP: we dropped packets: 8101887
1392645050.535250 DROP: we dropped packets: 3161247
1392645650.535675 DROP: we dropped packets: 8930749
1392646250.536146 DROP: we dropped packets: 16047665
1392646850.536640 DROP: we dropped packets: 12984575
1392647450.537066 DROP: we dropped packets: 20603271
1392648050.537473 DROP: we dropped packets: 18935480
	
Thanks,

Tyler



> Index not working when traffic encapsulated in 802.1q trunk
> -----------------------------------------------------------
>
>                 Key: TM-16
>                 URL: https://bro-tracker.atlassian.net/browse/TM-16
>             Project: Time Machine
>          Issue Type: Problem
>    Affects Versions: git/master
>         Environment: Ubuntu 10.04 , pf_ring
>            Reporter: tyler.schoenke
>              Labels: 802.1Q, indexes
>         Attachments: tm-16.patch
>
>
> Hi All,
> When I query the time machine index, I am not receiving any results.
> I just restarted time machine, and checked one of the recent class files to see there is traffic for a particular IP address.
> tcpdump -e -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198"
> It shows some traffic, example:
>     128.138.44.198.54014 > 74.125.225.209.443: Flags [.], cksum 0x8d2c (correct), seq 1283940799:1283940800, ack 615539104, win 16311, length 1
> 19:11:00.571731632 10:8c:cf:57:46:00 > 00:1d:09:6a:d9:a9, ethertype 802.1Q (0x8100), length 70: vlan 987, p 0, ethertype IPv4, (tos 0x0, ttl 56, id 17482, offset 0, flags [none], proto TCP (6), length 52)
> When I telnet localhost 42042 and run the following command, I don't receive any results.
> query to_file "128.138.44.198.pcap" index ip "128.138.44.198"
> In the above tcpdump, you can see my traffic is 802.1Q trunked.  I have to use the "vlan" BPF to extract it with tcpdump, and am wondering if the trunking is causing problems with indexing?   
> I tested the same version of time machine on non-trunked traffic, and the index works fine.
> Let me know if you need any other configuration info.
> Tyler



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)

More information about the bro-dev mailing list