Snort mailing list archives
Re: OPENFPC Proxy merge
From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 6 Jan 2014 15:05:28 +0000
Oh just for some clarity in case someone is looking at this to fix their instance; the .so only was a typo on my part when copying the file missing the .0 off the end. So basically the .2 stuff is what it is now but both libwsutil and libwiretap is looking for .so.0 so doing a find for the file and then copying it into the filename it is looking for fixed it for me. Obviously when wireshark was updated which provides these for mergecap it changed. find / -name "*libwsutil*" /usr/lib64/libwsutil.so.2 */usr/lib64/libwsutil.so* <<< typo and wasn't there by default /usr/lib64/libwsutil.so.2.0.0 Thanks again for all your help, Kevin On 6 January 2014 12:14, Kevin Ross <kevross33 () googlemail com> wrote:
Yipeee I got it working (at least on one local collector but I imagine I will get it working on my other one and the web interface will work). I got the following 2 errors (the second came up after I fixed the first) Merge command is "/usr/bin/mergecap -w /tmp/1389009687-2.pcap /tmp/mN8Mph4zQ0/1389009687-2.pcap-1389009508.pcap" /usr/bin/mergecap: error while loading shared libraries: libwiretap.so.0: cannot open shared object file: No such file or directory Merge command is "/usr/bin/mergecap -w /tmp/1389010129-2.pcap /tmp/l9uKBGa8q1/1389010129-2.pcap-1389009904.pcap" /usr/bin/mergecap: error while loading shared libraries: libwsutil.so.0: cannot open shared object file: No such file or directory Now doing a find on them returned this pretty much for both of them (with the respective library). find / -name "*libwsutil*" /usr/lib64/libwsutil.so.2 /usr/lib64/libwsutil.so /usr/lib64/libwsutil.so.2.0.0 Doing cp /usr/lib64/libwsutil.so /usr/lib64/libwsutil.so.0 for each of them respectively (so the libwiretap too) so it could find the file seems to have fixed this. I guess a wireshark update in Centos 6.4 changed the naming and thus broke it as wireshark provides these. Thanks for taking the time to help me out. Kindest Regards, Kevin Ross On 30 December 2013 11:39, Leon Ward <lward () sourcefire com> wrote:Hi Kevin, It's likely that there are some errors in syslog you can use to work out what's causing the problem. If there is nothing obvious in syslog you could start the queue daemon in debug mode, however make sure you run it in the context of the same user that starts the daemon itself; In my case that's a user called 'openfpc'. The most simple method would be to "sudo" to the user, and then run the following interactively on the console. lward@Dev:~$ sudo -i # for root access root@Dev:~# sudo -u openfpc /bin/bash # Interactive shell as the openfpc user bash: /root/.bashrc: Permission denied openfpc@Dev:~$ whoami openfpc openfpc@Dev:~$ openfpc-queued -c /etc/openfpc/openfpc-default.conf --debug Mon Dec 30 11:27:04 2013 GMT: NONAME DEBUG Enabled Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: SHA1 passwords enabled - Reading /etc/openfpc/openfpc.passwd Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Adding user "admin" PassHash "XXXX" Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Adding user "openfpc" PassHash "XXXX" Mon Dec 30 11:27:04 2013 GMT: Default_Node START: *********** OpenFPC 0.6 ********** Mon Dec 30 11:27:04 2013 GMT: Default_Node START: ** http://www.openfpc.org ** Mon Dec 30 11:27:04 2013 GMT: Default_Node START: Starting OFPC Node "Default_Node" as an OpenFPC Node Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Node Description: "An OpenFPC node. www.openfpc.org" Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Enabled : y Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: local savedir : /tmp Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Buffer Path : /var/tmp/openfpc/pcap Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: mergecap : /usr/bin/mergecap Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: tcpdump : /usr/sbin/tcpdump Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Keep files : 0 Mon Dec 30 11:27:04 2013 GMT: Default_Node START: Starting listener on TCP:4242 <snip> Then make your request. You'll see something like the below take place. The exact output will vary because I'm running a different version to you: Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1: RID: 2 Fetch Request OK -> WAIT! Mon Dec 30 11:30:51 2013 GMT: Default_Node NODE : Request: 2 User: admin Action: fetch BPF: host 192.168.43.1 Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: WARNING vdebug not enabled to inspect pcap filename selection Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: PCAP roster (2 files in total) for extract is: /var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1387894639 /var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1387886703 Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: Doing Extraction with BPF host 192.168.43.1 into tempdir /tmp/IUriAdyGjy Mon Dec 30 11:30:51 2013 GMT: Default_Node EXTR : Merge command is "/usr/bin/mergecap -w /tmp/1388403051-2.pcap /tmp/IUriAdyGjy/1388403051-2.pcap-1387894639.pcap /tmp/IUriAdyGjy/1388403051-2.pcap-1387886703.pcap" Mon Dec 30 11:30:51 2013 GMT: Default_Node NODE : Request: 2 User: admin Result: 1388403051-2.pcap, 24, ab487d36057d446b6a8b72091da72f23 Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 2 127.0.0.1 Sending File:/tmp/1388403051-2.pcap MD5: ab487d36057d446b6a8b72091da72f23 Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: Uploaded 1 x 1KB chunks Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1 Request: 2 : Transfer complete Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1 Request: 2 : Cleaning up. Cheers -Leon On 19 December 2013 10:49, Kevin Ross <kevross33 () googlemail com> wrote:Something else to note is that I have checked the traffic is there and then requested using the openfpc-client tool. When I do ps aux | grep tcpdump when I have made the request (using a second shell) I can see tcpdump processes going through the PCAPs with the correct filters as I would expect. it just doesn't seem to get the traffic back out. On 19 December 2013 08:31, Kevin Ross <kevross33 () googlemail com> wrote:Hi, Yup confirmed data is definately in those PCAPs I am requesting using tcpdump. When I request for the same data using the openfpc-client tool it does not work. How do I enable more debug/where do I look for more information for what it is having issues with (as -d isn't showing me the failure reason). Thanks, Kevin On 18 December 2013 15:49, Jeremy Hoel <jthoel () gmail com> wrote:If you go to where you pcaps are kept and look at them, can you tcpdump the packets that you are looking for? Let's make sure the data is there. Once that works we can turn on debug for a few more things. Adding the debug to the client doesn't always turn it on for the other parts. On Dec 18, 2013 6:11 AM, "Kevin Ross" <kevross33 () googlemail com> wrote:Hi, Still no luck with it and no idea what is actuall wrong. I have tried debug run directly on the hosts (the capture nodes) ----Config---- Server : localhost Port : 4242 User : REMOVED Action : fetch Logtype : auto Logline : 0 Filename : /tmp/out.pcap SumType : 0 Last : 30 stime : 1387371705 Wed Dec 18 13:01:45 2013 etime : 1387371735 Wed Dec 18 13:02:15 2013 * openfpc-client 0.6 * Part of the OpenFPC project Logline created from session IDs: ofpc-v1 type:search sip:REMOVED stime:1387371705 etime:1387371735 timestamp: Password for user fpc : DEBUG: Connected to localhost DEBUG: Sent Request Problem processing request: 0 I thought maybe it was an SELINUX issue so I have both relabelled the filesystem and then after that not working I have disabled SELINUX but still doesn't work. It is running according to status & also it is making captures on the disk fine. Thanks, Kevin On 17 December 2013 20:32, Leon Ward <lward () sourcefire com> wrote:Trying to send again. I don't think the 1st try made it to the list... On 17 December 2013 12:09, Joel Esler (jesler) <jesler () cisco com>wrote:Forwarded to the developer.Yeah, that would be me - although I'm fighting to find any time to look at it right now so it's becoming a little out of date. I've got a long todo list to work though. Are there any logs you could share to help work out what could be broken? I suggest you start up the openfpc daemon interactively with --debug and make the request again. -LOn Dec 17, 2013, at 11:25 AM, Kevin Ross <kevross33 () googlemail com> wrote:Hi, Running openfpc. Was working fine for months and months and nowthis when I try and get a PCAP (nothing changed aside from maybe updates: unable to proxy-mergeHas anyone run into this (I am asking on this userlist as it wasa sourcefire employee made tool :)Thanks, Kevin------------------------------------------------------------------------------Rapidly troubleshoot problems before they affect your business.Most ITorganizations don't have a clear picture of how applicationperformanceaffects their revenue. With AppDynamics, you get 100% visibilityinto yourJava,.NET, & PHP application. Start your 15-day FREE TRIAL ofAppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all thelatest Snort news! ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: OPENFPC Proxy merge Kevin Ross (Jan 06)
- Re: OPENFPC Proxy merge Kevin Ross (Jan 06)