[plug] network monitoring using ntopng - can't see PPPoE packets

steve boak sboak at westnet.com.au
Fri Apr 28 14:27:30 AWST 2017 

On 28/04/17 13:00, byron ester wrote:
> Are you running iftop in promiscuous mode (-p)?
> Is it running as root?


Thanks Byron, checked a few things...

*sudo iftop -p -i br0* only displays occasional DHCP packets,

*sudo tcpdump -i br0* and *sudo tcpdump --no-promiscuous-mode -i br0* 
both display all packets including decoded PPPoE as mentioned earlier - 
showing that the br0 interface being in promiscuous mode already is working.

I only really mentioned iftop as an example, although it does illustrate 
the problem and is easily replicated.

I am actually running ntopng as a service on a headless machine, 
accessed on port 3000 (standard debian jessie apt install). From what I 
can glean from various places, ntopng (as a service) starts as root, 
attaches to the interface in promiscuous mode, then drops privileges and 
runs as 'nobody'. The actual running process is:

nobody   13524  3.9  2.7 151588 26424 ?        Ssl  13:32   1:08 
/usr/sbin/ntopng --daemon --pid /var/tmp/ntopng.pid -w 3000 -i br0

I tried starting ntopng directly as root with *sudo /usr/sbin/ntopng -w 
3000 -i br0*. I get a few status lines logged on the console, everything 
looks good, including capture on br0.

But still no PPPoE packets seen, just occasional DHCP requests.

Steve


>
> On Fri, Apr 28, 2017 at 12:28 PM, steve boak <sboak at westnet.com.au 
> <mailto:sboak at westnet.com.au>> wrote:
>
>     Hi All
>
>     I have an NBN satellite connection which is still not yet up to
>     the reliability I would like, so I have been investigating methods
>     of monitoring the connection.
>
>     I have a Rasperry Pi in bridge configuration (extra USB ethernet
>     adapter) in line between the router and satellite modem. The
>     router establishes a PPPoE session with Westnet, so most of the
>     traffic I should see is encapsulated in PPPoE packets.
>
>     The Pi works well, I can monitor throughput with interface stats
>     and all passing traffic is visible on the bridge port br0 when
>     using tcpdump - for example:
>
>     11:21:56.072589 PPPoE  [ses 0xe993] LCP, Echo-Request (0x09), id
>     203, length 14
>     11:21:56.073087 PPPoE  [ses 0xe993] LCP, Echo-Reply (0x0a), id
>     203, length 14
>
>     However, when I use iftop, ntop, or the newer ntopng I can only
>     see regular IP packets and PPPoE traffic seems to be ignored or
>     hidden.
>
>     br0 is in promiscuous mode, and all packets are available because
>     tcpdump can see them.
>
>     pi at raspberrypi:~ $ ifconfig
>     br0       Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
>               inet addr:192.168.100.254  Bcast:192.168.100.255
>     Mask:255.255.255.0
>               inet6 addr: fe80::7211:24ff:fe8c:e79b/64 Scope:Link
>               UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 Metric:1
>               RX packets:1315251 errors:0 dropped:44581 overruns:0 frame:0
>               TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:0
>               RX bytes:1019322018 (972.1 MiB)  TX bytes:355421 (347.0 KiB)
>
>     eth0      Link encap:Ethernet  HWaddr b8:27:eb:02:59:76
>               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>               RX packets:1115843 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:637565 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:1137978736 (1.0 GiB)  TX bytes:207997192 (198.3
>     MiB)
>
>     eth1      Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
>               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>               RX packets:636600 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:1116809 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:193628821 (184.6 MiB)  TX bytes:1158423387 (1.0
>     GiB)
>
>     Is there something I have missed? ntopng looks like it should
>     decode PPPoE packets, but all I can see is a few DHCP requests on
>     the interface. The same with iftop.
>
>     Thanks in advance for any ideas...
>
>     Steve
>
>     -- 
>     Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
>
>     _______________________________________________
>     PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>     http://lists.plug.org.au/mailman/listinfo/plug
>     <http://lists.plug.org.au/mailman/listinfo/plug>
>     Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au>
>     PLUG Membership: http://www.plug.org.au/membership
>     <http://www.plug.org.au/membership>
>
>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership

-- 
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170428/9b99d02e/attachment.html>

More information about the plug mailing list