[plug] network monitoring using ntopng - can't see PPPoE packets

Andrew Furey andrew.furey at gmail.com
Fri Apr 28 15:32:10 AWST 2017 

Just a correlation - on my standard Wheezy homebrew gateway with two nics,
I don't see any PPPoE packets through iftop on the raw interface either
(iftop -i eth1, which ppp0 runs on top of). Ifconfig looks like this:

eth1      Link encap:Ethernet  HWaddr 74:da:38:9c:75:b1
          inet6 addr: fe80::76da:38ff:fe9c:75b1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:631715166 errors:0 dropped:1769 overruns:0 frame:0
          TX packets:554353641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2854283371 (2.6 GiB)  TX bytes:3337899266 (3.1 GiB)
          Interrupt:43 Base address:0x4000

ppp0      Link encap:Point-to-Point Protocol
          inet addr:blah  P-t-P:blah  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:3162633 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3398939 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:664127785 (633.3 MiB)  TX bytes:600514443 (572.6 MiB)


Maybe that's just how iftop works? I don't have the others installed to
test with.

Andrew

On 28 April 2017 at 14:27, steve boak <sboak at westnet.com.au> wrote:

> On 28/04/17 13:00, byron ester wrote:
>
> Are you running iftop in promiscuous mode (-p)?
> Is it running as root?
>
>
>
> Thanks Byron, checked a few things...
>
> *sudo iftop -p -i br0* only displays occasional DHCP packets,
>
> *sudo tcpdump -i br0* and *sudo tcpdump --no-promiscuous-mode -i br0*
> both display all packets including decoded PPPoE as mentioned earlier -
> showing that the br0 interface being in promiscuous mode already is working.
>
> I only really mentioned iftop as an example, although it does illustrate
> the problem and is easily replicated.
>
> I am actually running ntopng as a service on a headless machine, accessed
> on port 3000 (standard debian jessie apt install). From what I can glean
> from various places, ntopng (as a service) starts as root, attaches to the
> interface in promiscuous mode, then drops privileges and runs as 'nobody'.
> The actual running process is:
>
> nobody   13524  3.9  2.7 151588 26424 ?        Ssl  13:32   1:08
> /usr/sbin/ntopng --daemon --pid /var/tmp/ntopng.pid -w 3000 -i br0
>
> I tried starting ntopng directly as root with *sudo /usr/sbin/ntopng -w
> 3000 -i br0*. I get a few status lines logged on the console, everything
> looks good, including capture on br0.
>
> But still no PPPoE packets seen, just occasional DHCP requests.
>
> Steve
>
>
>
>
> On Fri, Apr 28, 2017 at 12:28 PM, steve boak <sboak at westnet.com.au> wrote:
>
>> Hi All
>>
>> I have an NBN satellite connection which is still not yet up to the
>> reliability I would like, so I have been investigating methods of
>> monitoring the connection.
>>
>> I have a Rasperry Pi in bridge configuration (extra USB ethernet adapter)
>> in line between the router and satellite modem. The router establishes a
>> PPPoE session with Westnet, so most of the traffic I should see is
>> encapsulated in PPPoE packets.
>>
>> The Pi works well, I can monitor throughput with interface stats and all
>> passing traffic is visible on the bridge port br0 when using tcpdump - for
>> example:
>>
>> 11:21:56.072589 PPPoE  [ses 0xe993] LCP, Echo-Request (0x09), id 203,
>> length 14
>> 11:21:56.073087 PPPoE  [ses 0xe993] LCP, Echo-Reply (0x0a), id 203,
>> length 14
>>
>> However, when I use iftop, ntop, or the newer ntopng I can only see
>> regular IP packets and PPPoE traffic seems to be ignored or hidden.
>>
>> br0 is in promiscuous mode, and all packets are available because tcpdump
>> can see them.
>>
>> pi at raspberrypi:~ $ ifconfig
>> br0       Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
>>           inet addr:192.168.100.254  Bcast:192.168.100.255
>> Mask:255.255.255.0
>>           inet6 addr: fe80::7211:24ff:fe8c:e79b/64 Scope:Link
>>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 Metric:1
>>           RX packets:1315251 errors:0 dropped:44581 overruns:0 frame:0
>>           TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:1019322018 (972.1 MiB)  TX bytes:355421 (347.0 KiB)
>>
>> eth0      Link encap:Ethernet  HWaddr b8:27:eb:02:59:76
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:1115843 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:637565 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:1137978736 (1.0 GiB)  TX bytes:207997192 (198.3 MiB)
>>
>> eth1      Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:636600 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:1116809 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:193628821 (184.6 MiB)  TX bytes:1158423387 (1.0 GiB)
>>
>> Is there something I have missed? ntopng looks like it should decode
>> PPPoE packets, but all I can see is a few DHCP requests on the interface.
>> The same with iftop.
>>
>> Thanks in advance for any ideas...
>>
>> Steve
>>
>> --
>> Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.auhttp://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
>
> --
> Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>



-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170428/67cbe8de/attachment.html>

More information about the plug mailing list