Re: ntopng is unusable

kasak Fri, 13 Oct 2017 04:30:09 -0700

> 13 окт. 2017 г., в 11:55, Stuart Henderson <s...@spacehopper.org> написал(а):
> 
> On 2017/10/12 13:23, kasak wrote:
>> 
>>> 12 окт. 2017 г., в 11:29, Stuart Henderson <s...@spacehopper.org> 
>>> написал(а):
>>> 
>>> On 2017/10/12 09:13, kasak wrote:
>>>> I have tried different option but it seems that ntopng will not work
>>>> more than 3-5 minutes. It simply crashes without any output.
>>> 
>>> How does the backtrace look?
>>> 
>>> It worked last time I used it, but that was a while ago.
>>> 
>>>> And it seems that I am facing this bug:
>>>> https://github.com/ntop/ntopng/issues/710 
>>>> <https://github.com/ntop/ntopng/issues/710>
>>>> I also have tons of suspicious activity. Adding -H option disable alerts 
>>>> but ntopng continues to crash. 
>>>> It is crashing both in 6.1 and 6.2. I have simple configuration with em0 
>>>> connected to internet and em1 connected to lan. Stop of course started on 
>>>> em1. 
>>>> Can anybody confirm? 
>>> 
>>> Seems they moved to github so portroach didn't find the update for me.
>>> I'll take a look at updating the port sometime, if anyone wants to beat me
>>> to it, be very careful with the bpf_timeval mess in patches.
>>> 
>> 
>> Hello Stuart! I am afraid I can’t look at backtrace, I am running ntopng 
>> from packages and don’t really know how to do it. 
>> I have tried to start it right now and it crashed after 20-30 seconds. Here 
>> is log file:
>> 
>> 12/Oct/2017 13:17:36 [Ntop.cpp:1121] Setting local networks to 
>> 192.168.2.0/23,192.168.200.0/24
>> 12/Oct/2017 13:17:36 [Redis.cpp:92] Successfully connected to redis 
>> 127.0.0.1:6379@0
>> 12/Oct/2017 13:17:36 [Ntop.cpp:1095] Parent process is exiting (this is 
>> normal)
>> 12/Oct/2017 13:17:36 [PcapInterface.cpp:85] Reading packets from interface 
>> em1...
>> 12/Oct/2017 13:17:36 [Ntop.cpp:1267] Registered interface em1 [id: 0]
>> 12/Oct/2017 13:17:36 [Ntop.cpp:1279] Registered interface view em1 [id: 0]
>> 12/Oct/2017 13:17:36 [main.cpp:255] PID stored in file 
>> /var/run/ntopng/ntopng.pid
>> 12/Oct/2017 13:17:36 [Utils.cpp:353] User changed to _ntopng
>> 12/Oct/2017 13:17:36 [HTTPserver.cpp:464] HTTPS Disabled: missing SSL 
>> certificate /etc/ssl/ntopng-cert.pem
>> 12/Oct/2017 13:17:36 [HTTPserver.cpp:466] Please read 
>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable 
>> SSL.
>> 12/Oct/2017 13:17:36 [HTTPserver.cpp:509] Web server dirs 
>> [/usr/local/share/ntopng/httpdocs][/usr/local/share/ntopng/scripts]
>> 12/Oct/2017 13:17:36 [HTTPserver.cpp:512] HTTP server listening on port 3000
>> 12/Oct/2017 13:17:36 [main.cpp:295] Working directory: /home/ntop
>> 12/Oct/2017 13:17:36 [main.cpp:297] Scripts/HTML pages directory: 
>> /usr/local/share/ntopng
>> 12/Oct/2017 13:17:36 [Ntop.cpp:271] Welcome to ntopng amd64 v.2.4.171002 - 
>> (C) 1998-2016 ntop.org
>> 12/Oct/2017 13:17:36 [PeriodicActivities.cpp:53] Started periodic activities 
>> loop...
>> 12/Oct/2017 13:17:36 [Ntop.cpp:531] Adding 192.168.2.0/23 as IPv4 local 
>> network for em1
>> 12/Oct/2017 13:17:36 [NetworkInterface.cpp:1536] Started packet polling on 
>> interface em1 [id: 0]…
>> 
>> And here is rc.conf.local string: 
>> ntopng_flags=-i em1 -m 192.168.2.0/23,192.168.200.0/24 -d /home/ntop
> 
> Run it in the foreground:
> 
> # gdb `which ntopng`
> GNU gdb 6.3
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-unknown-openbsd6.2"...
> (gdb) set args -i em1 -m 192.168.2.0/23,192.168.200.0/24 -d /home/ntop
> (gdb) r
> Starting program: /usr/local/bin/ntopng -i em1 -m 
> 192.168.2.0/23,192.168.200.0/24 -d /home/ntop
> [...]
> 
> When it crashes, type "bt full" and paste the output here. This *might*
> give enough clues to track it down - but it's not worth doing a bigger
> investigation when there's a newer version upstream already.
> 
> 20-30 seconds makes it sound like it is crashing due to some traffic
> that it's seeing.
>


Oh thanks! 
Under control of debugger it was alive for 25 minutes, after that it show this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to thread 230063]
strchr () at /usr/src/lib/libc/arch/amd64/string/strchr.S:58
58      /usr/src/lib/libc/arch/amd64/string/strchr.S: No such file or directory.
        in /usr/src/lib/libc/arch/amd64/string/strchr.S
Current language:  auto; currently asm
(gdb) 

And here is bt full:

#0  strchr () at /usr/src/lib/libc/arch/amd64/string/strchr.S:58
No locals.
#1  0x00001ff16d963714 in Flow::dissectHTTP (this=0x1ff4222c5000, 
    src2dst_direction=true, 
    payload=0x1ff429770f84 
"data=%7B%22H%22%3A%22systemstatehub%22%2C%22M%22%3A%22GetConnectionsState%22%2C%22A%22%3A%5B%5D%2C%22I%22%3A1746%7D\n%?\234\221԰U\204"
 <Address 0x1ff429771000 out of bounds>, payload_len=115) at string.h:74
        space = 0x1ff429770c3f " 
tvema.filter.calculationPeriodicity.railwayCode=24; 
tvema.filter.calculationPeriodicity.numberPch=4; 
tvema.filter.calculationPeriodicity.year=2017; 
tvema.calculationPeriodicity.calculation=0; tvema.f"...
        h = (HTTPstats *) 0x0
#2  0x00001ff16d94c677 in NetworkInterface::processPacket (
    this=0x1ff417aa71d0, when=0x1ff4516299e8, time=1507893722498, 
    eth=0x1ff429770f4e, vlan_id=0, iph=0x1ff429770f5c, ip6=0x0, ipsize=155, 
    rawsize=169, h=0x1ff4516299e8, packet=0x1ff429770f4e "", 
    shaped=0x1ff3bcbc438d, ndpiProtocol=0x1ff3bcbc438e)
    at src/NetworkInterface.cpp:919
        ndpi_flow = (ndpi_flow_struct *) 0x1ff42ab87800
        dump_is_unknown = false
        src2dst_direction = true
        l4_proto = 6 '\006'
        flow = (class Flow *) 0x1ff4222c5000
        eth_src = (u_int8_t *) 0x1ff429770f54 "???\226!)\b"
---Type <return> to continue, or q <return> to quit--- 
        eth_dst = (u_int8_t *) 0x1ff429770f4e ""
        src_ip = {addr = {ipVersion = 4 '\004', localHost = 0 '\0', 
    privateIP = 1 '\001', multicastIP = 0 '\0', broadcastIP = 0 '\0', 
    notUsed = 0 '\0', ipType = {ipv6 = {u6_addr = {
          u6_addr8 = 0x1ff3bcbc3f4c "??\003\005", u6_addr16 = 0x1ff3bcbc3f4c, 
          u6_addr32 = 0x1ff3bcbc3f4c}}, ipv4 = 84125888}}, ip_key = 3232236293}
        dst_ip = {addr = {ipVersion = 4 '\004', localHost = 0 '\0', 
    privateIP = 0 '\0', multicastIP = 0 '\0', broadcastIP = 0 '\0', 
    notUsed = 0 '\0', ipType = {ipv6 = {u6_addr = {
          u6_addr8 = 0x1ff3bcbc3f34 "??p\n", u6_addr16 = 0x1ff3bcbc3f34, 
          u6_addr32 = 0x1ff3bcbc3f34}}, ipv4 = 175172052}}, 
  ip_key = 3572068362}
        src_port = 23777
        dst_port = 38943
        payload_len = 115
        tcph = (ndpi_tcphdr *) 0x1ff429770f70
        udph = (ndpi_udphdr *) 0x0
        l4_packet_len = 135
        l4 = (
    u_int8_t *) 0x1ff429770f70 "?\\\037\230c\226\022?\033?\204&P\030>ÿq"
        tcp_flags = 24 '\030'
        payload = (
    u_int8_t *) 0x1ff429770f84 
"data=%7B%22H%22%3A%22systemstatehub%22%2C%22M%22---Type <return> to continue, 
or q <return> to quit---
%3A%22GetConnectionsState%22%2C%22A%22%3A%5B%5D%2C%22I%22%3A1746%7D\n%?\234\221԰U\204"
 <Address 0x1ff429771000 out of bounds>
        ip = (u_int8_t *) 0x1ff429770f5c "E"
        is_fragment = false
        new_flow = false
        pass_verdict = true
        a_shaper_id = 0
        b_shaper_id = 0
#3  0x00001ff16d94e81d in NetworkInterface::dissectPacket (
    this=0x1ff417aa71d0, h=0x1ff4516299e8, packet=0x1ff429770f4e "", 
    shaped=0x1ff3bcbc438d, ndpiProtocol=0x1ff3bcbc438e)
    at src/NetworkInterface.cpp:1403
        frag_off = 16384
        iph = (ndpi_iphdr *) 0x1ff429770f5c
        ip6 = (ndpi_ipv6hdr *) 0x0
        ba = (class std::bad_alloc &) @0x1ff451629020: {<std::exception> = {
    _vptr$exception = 0x1ff3a42d40e0}, <No data fields>}
        srcHost = (class Host *) 0x1ff3a468d000
        dstHost = (class Host *) 0x1ff3d5834000
        lasttime = 1507893722498
        oom_warning_sent = false
        oom_warning_sent = false
        ethernet = (ndpi_ethhdr *) 0x1ff429770f4e
---Type <return> to continue, or q <return> to quit---
        dummy_ethernet = {h_dest = 0x1ff3bcbc4290 "?B???\037", 
  h_source = 0x1ff3bcbc4296 "", h_proto = 8180}
        time = 1507893722498
        eth_type = 2048
        ip_offset = 14
        vlan_id = 0
        eth_offset = 0
        null_type = 3976623104
        pcap_datalink_type = 1
        pass_verdict = true
#4  0x00001ff16d902e3b in _ZL14packetPollLoopPv (ptr=0x1ff417aa71d0)
    at src/PcapInterface.cpp:187
        p = 7
        shaped = false
        pkt = (const u_char *) 0x1ff429770f4e ""
        hdr = (pcap_pkthdr *) 0x1ff4516299e8
        rc = 1
        iface = (PcapInterface *) 0x1ff417aa71d0
        pd = (pcap_t *) 0x1ff451629800
        pcap_list = (FILE *) 0x0
#5  0x00001ff3cbfeacae in _rthread_start (v=Variable "v" is not available.
)
    at /usr/src/lib/librthread/rthread.c:96
        retval = (void *) 0x0
---Type <return> to continue, or q <return> to quit---
#6  0x00001ff43673de0b in __tfork_thread ()
    at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75
No locals.
#7  0x0000000000000000 in ?? ()
No symbol table info available.

Re: ntopng is unusable

Reply via email to