Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Network Monitoring issues - Solved
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Tue May 09, 2006 7:54 pm    Post subject: Network Monitoring issues - Solved Reply with quote
Hello, I have added a gentoo box on our office network for monitoring purposes, and it has been a very powerful tool for me using iptraf and nethogs.

However, recently, it stopped working. It appears now that the system will only show traffic that is being sent to or from this machine, and is no longer displaying all information from the network.

This has happened on a similar box on my home network aswell. Was something changed? I have verified that iptraf is still in promiscous mode, however, it is just not working like it did before.

Thanks in advance,

Jeff

Last edited by Hydrix on Fri May 12, 2006 8:04 pm; edited 1 time in total
Back to top
View user's profile Send private message
widan
Veteran
Veteran


Joined: 07 Jun 2005
Posts: 1512
Location: Paris, France
PostPosted: Tue May 09, 2006 10:19 pm    Post subject: Re: Network Monitoring issues Reply with quote
Hydrix wrote:
HHowever, recently, it stopped working. It appears now that the system will only show traffic that is being sent to or from this machine, and is no longer displaying all information from the network.

Was there some change in network equipment ? Also what is the network configuration ? (monitor machine acting as a router ? or just connected like the other machines ? to a hub ? to a switch ?) If the monitor machine was plugged into a hub, and the hub was replaced with a switch, it won't be able to see the traffic anymore.
Hydrix wrote:
I have verified that iptraf is still in promiscous mode, however, it is just not working like it did before.

Promiscuous just disables the MAC address filtering on the NIC. If a switch was introduced in the network, it will act like an isolator between the monitor machine and the rest of the network (a switch only forwards packets to the port the destination machine is connected to, so the monitor machine will not see anything).
Back to top
View user's profile Send private message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Wed May 10, 2006 8:08 pm    Post subject: Reply with quote
There was no change in the network equipment. This monitoring computer is attached to a hub that sits between our DSL router and our internal firewall/router (Microsoft ISA server). The monitoring computer originally could see all traffic between our ISA server and the DSL router.

This appeared to stop working after doing an emerge --update about 2 weeks ago. I am very new to Linux, so I am certain that it was something I have done.
Back to top
View user's profile Send private message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Wed May 10, 2006 8:30 pm    Post subject: Reply with quote
It appears as if recently some configuration option was changed to not allow the NIC to recieve packets for which it is not the destination?

I am getting these same results using any software that sniffs the packets off the network. They are only seeing packets going to/from this machine. Was some default configuration option changed to disable this functionality?

I am certainly lost here, things were working great until recently.
Back to top
View user's profile Send private message
widan
Veteran
Veteran


Joined: 07 Jun 2005
Posts: 1512
Location: Paris, France
PostPosted: Wed May 10, 2006 9:10 pm    Post subject: Reply with quote
Hydrix wrote:
This appeared to stop working after doing an emerge --update about 2 weeks ago.

Did you update the kernel at that time too ? Also was libpcap updated during the emerge (look at /var/log/emerge.log to know that) ?

Also you can try to set promiscuous mode manually ("ifconfig eth0 promisc"). You can look in dmesg to check if promiscuous mode is enabled correctly on the interface, there will be messages like "device ath0 entered promiscuous mode".
Back to top
View user's profile Send private message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Wed May 10, 2006 10:06 pm    Post subject: Reply with quote
widan wrote:
Did you update the kernel at that time too ? Also was libpcap updated during the emerge (look at /var/log/emerge.log to know that) ?


I did update the kernel, however booting to the previous kernel (2.6.15-gentoo-r1) had no different results. There is no reference to libpcap in my emerge.log, except when I originally downloaded it as a requirement for nethogs.

The packages that were updated were:

dev-perl/Net-Daemon-0.38
perl-core/Storable-2.15
virtual/perl-Storable-2.15
dev-perl/PlRPC-0.2018
dev-perl/DBI-1.50
virtual/perl-Test-Harness
dev-perl/DBD-Pg-1.43
app-admin/webmin
sys-devel/gcc-config-1.3.13-r2
sys-libs/glibc-2.3.6-r3
app-misc/pax-utils-0.1.11-r1
sys-apps/portage-2.0.54
www-client/lynx-2.8.5-r2
sys-kernel/gentoo-sources-2.6.16-r3
app-editors/nano-1.3.9
net-misc/rsync-2.6.0-r6


widan wrote:

Also you can try to set promiscuous mode manually ("ifconfig eth0 promisc"). You can look in dmesg to check if promiscuous mode is enabled correctly on the interface, there will be messages like "device ath0 entered promiscuous mode".


I had tried this earlier and did not get any result.

Code:
rcs-cab-ws04a ~ # ifconfig eth0 promisc
rcs-cab-ws04a ~ # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:04:76:35:98:23
            inet addr:10.2.100.4  Bcast:10.2.255.255 Mask:255.255.0.0
            UP BROADCAST NOTRAILERS RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
            RX packets:659 errors:0 dropped:0 overruns:0 frame:0
            TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:194413 (189.8 Kb)  TX bytes:650 (650.0b)
            Interrupt:18 Base address:0x4000

However I do not see any message in dmesg however regarding promiscuous mode. I was relying on the fact that PROMISC showed up in ifconfig eth0, i do not know if this means that it has been enabled successfully.

The packet counts are extremely low. I am at home now, the comptuer here is pugged into a 16 port hub, and I have 7 other computers connected. Before that emerge (I believe that is the cause, as it broke both at work and at home around the same time) i could see all traffic going to/from any of the computers. I have been transferring files back and forth, the RX packet count should be much higher.

I very much appreciate your help, do you have any more suggestions?
Back to top
View user's profile Send private message
thepustule
Apprentice
Apprentice


Joined: 22 Feb 2004
Posts: 212
Location: Toronto, Canada
PostPosted: Thu May 11, 2006 3:47 pm    Post subject: Reply with quote
Have you tried a different hub?

I have a weird hub here that sometimes behaves switch-like. Especially when you have one machine on 10megabit and another on 100.
Back to top
View user's profile Send private message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Thu May 11, 2006 4:24 pm    Post subject: Reply with quote
I have not tried a different hub, as it didnt seem likely that both of monitoring boxes hubs stopped working. These two systems are at two seperate locations, on two seperate networks. Both are acting the same.

I have acutally just tried this on 3 other computers and it is not working on any computer that has been updated in the past month or so. It is working fine on an older box. Im so confused.

I will try to replace the hub and see what difference this makes.

Thanks.
Back to top
View user's profile Send private message
thepustule
Apprentice
Apprentice


Joined: 22 Feb 2004
Posts: 212
Location: Toronto, Canada
PostPosted: Thu May 11, 2006 4:36 pm    Post subject: Reply with quote
Yeah that makes sense - unlikely it is the hub if it is happening everywhere.

I'll tell you one thing - I'll be waiting for a while before upgrading the core stuff. The recent php and openvpn changes have been enough to deal with
Back to top
View user's profile Send private message
Hydrix
n00b
n00b


Joined: 15 Mar 2006
Posts: 11
Location: Grass Valley, CA
PostPosted: Fri May 12, 2006 8:06 pm    Post subject: Reply with quote
Well I am not entirely sure what fixed it, I have made many configuration changes today with nothing making a difference. Then i go back to move it to my original hub, and found that I had replaced the hub with a switch yesterday (why does linksys make their 4 port switches so small cute and hublike). After re-routing cabling to the old hub everythign is working. It could have been one of the many configuration changes I made today or yesterday.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy