[plug] network monitoring using ntopng - can't see PPPoE packets
steve boak
sboak at westnet.com.au
Fri Apr 28 15:42:15 AWST 2017
Can you try tcpdump? It seems able to show all packets.
Steve
On 28/04/17 15:32, Andrew Furey wrote:
> Just a correlation - on my standard Wheezy homebrew gateway with two
> nics, I don't see any PPPoE packets through iftop on the raw interface
> either (iftop -i eth1, which ppp0 runs on top of). Ifconfig looks like
> this:
>
> eth1 Link encap:Ethernet HWaddr 74:da:38:9c:75:b1
> inet6 addr: fe80::76da:38ff:fe9c:75b1/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:631715166 errors:0 dropped:1769 overruns:0 frame:0
> TX packets:554353641 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2854283371 (2.6 GiB) TX bytes:3337899266 (3.1 GiB)
> Interrupt:43 Base address:0x4000
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:blah P-t-P:blah Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
> RX packets:3162633 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3398939 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:664127785 (633.3 MiB) TX bytes:600514443 (572.6 MiB)
>
>
> Maybe that's just how iftop works? I don't have the others installed
> to test with.
>
> Andrew
>
> On 28 April 2017 at 14:27, steve boak <sboak at westnet.com.au
> <mailto:sboak at westnet.com.au>> wrote:
>
> On 28/04/17 13:00, byron ester wrote:
>> Are you running iftop in promiscuous mode (-p)?
>> Is it running as root?
>
>
> Thanks Byron, checked a few things...
>
> *sudo iftop -p -i br0* only displays occasional DHCP packets,
>
> *sudo tcpdump -i br0* and *sudo tcpdump --no-promiscuous-mode -i
> br0* both display all packets including decoded PPPoE as mentioned
> earlier - showing that the br0 interface being in promiscuous mode
> already is working.
>
> I only really mentioned iftop as an example, although it does
> illustrate the problem and is easily replicated.
>
> I am actually running ntopng as a service on a headless machine,
> accessed on port 3000 (standard debian jessie apt install). From
> what I can glean from various places, ntopng (as a service) starts
> as root, attaches to the interface in promiscuous mode, then drops
> privileges and runs as 'nobody'. The actual running process is:
>
> nobody 13524 3.9 2.7 151588 26424 ? Ssl 13:32 1:08
> /usr/sbin/ntopng --daemon --pid /var/tmp/ntopng.pid -w 3000 -i br0
>
> I tried starting ntopng directly as root with *sudo
> /usr/sbin/ntopng -w 3000 -i br0*. I get a few status lines logged
> on the console, everything looks good, including capture on br0.
>
> But still no PPPoE packets seen, just occasional DHCP requests.
>
> Steve
>
>
>
>>
>> On Fri, Apr 28, 2017 at 12:28 PM, steve boak
>> <sboak at westnet.com.au <mailto:sboak at westnet.com.au>> wrote:
>>
>> Hi All
>>
>> I have an NBN satellite connection which is still not yet up
>> to the reliability I would like, so I have been investigating
>> methods of monitoring the connection.
>>
>> I have a Rasperry Pi in bridge configuration (extra USB
>> ethernet adapter) in line between the router and satellite
>> modem. The router establishes a PPPoE session with Westnet,
>> so most of the traffic I should see is encapsulated in PPPoE
>> packets.
>>
>> The Pi works well, I can monitor throughput with interface
>> stats and all passing traffic is visible on the bridge port
>> br0 when using tcpdump - for example:
>>
>> 11:21:56.072589 PPPoE [ses 0xe993] LCP, Echo-Request (0x09),
>> id 203, length 14
>> 11:21:56.073087 PPPoE [ses 0xe993] LCP, Echo-Reply (0x0a),
>> id 203, length 14
>>
>> However, when I use iftop, ntop, or the newer ntopng I can
>> only see regular IP packets and PPPoE traffic seems to be
>> ignored or hidden.
>>
>> br0 is in promiscuous mode, and all packets are available
>> because tcpdump can see them.
>>
>> pi at raspberrypi:~ $ ifconfig
>> br0 Link encap:Ethernet HWaddr 70:11:24:8c:e7:9b
>> inet addr:192.168.100.254 Bcast:192.168.100.255
>> Mask:255.255.255.0
>> inet6 addr: fe80::7211:24ff:fe8c:e79b/64 Scope:Link
>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
>> Metric:1
>> RX packets:1315251 errors:0 dropped:44581
>> overruns:0 frame:0
>> TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:1019322018 (972.1 MiB) TX bytes:355421
>> (347.0 KiB)
>>
>> eth0 Link encap:Ethernet HWaddr b8:27:eb:02:59:76
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1115843 errors:0 dropped:0 overruns:0
>> frame:0
>> TX packets:637565 errors:0 dropped:0 overruns:0
>> carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:1137978736 (1.0 GiB) TX bytes:207997192
>> (198.3 MiB)
>>
>> eth1 Link encap:Ethernet HWaddr 70:11:24:8c:e7:9b
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:636600 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1116809 errors:0 dropped:0 overruns:0
>> carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:193628821 (184.6 MiB) TX bytes:1158423387
>> (1.0 GiB)
>>
>> Is there something I have missed? ntopng looks like it should
>> decode PPPoE packets, but all I can see is a few DHCP
>> requests on the interface. The same with iftop.
>>
>> Thanks in advance for any ideas...
>>
>> Steve
>>
>> --
>> Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> <http://lists.plug.org.au/mailman/listinfo/plug>
>> Committee e-mail: committee at plug.org.au
>> <mailto:committee at plug.org.au>
>> PLUG Membership: http://www.plug.org.au/membership
>> <http://www.plug.org.au/membership>
>>
>>
>>
>>
>> _______________________________________________
>> PLUG discussion list:plug at plug.org.au <mailto:plug at plug.org.au>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> <http://lists.plug.org.au/mailman/listinfo/plug>
>> Committee e-mail:committee at plug.org.au <mailto:committee at plug.org.au>
>> PLUG Membership:http://www.plug.org.au/membership <http://www.plug.org.au/membership>
>
> --
> Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
>
> _______________________________________________ PLUG discussion
> list: plug at plug.org.au <mailto:plug at plug.org.au>
> http://lists.plug.org.au/mailman/listinfo/plug
> <http://lists.plug.org.au/mailman/listinfo/plug> Committee e-mail:
> committee at plug.org.au <mailto:committee at plug.org.au> PLUG
> Membership: http://www.plug.org.au/membership
> <http://www.plug.org.au/membership>
>
> --
> Linux supports the notion of a command line or a shell for the same
> reason that only children read books with only pictures in them.
> Language, be it English or something else, is the only tool flexible
> enough to accomplish a sufficiently broad range of tasks.
> -- Bill Garrett
--
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170428/e8c7e336/attachment.html>
More information about the plug
mailing list