<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 28/04/17 13:00, byron ester wrote:<br>
<blockquote
cite="mid:CAKO27ZcbBTP7wvhHrViLGZNoGsr9E1f6yrWF+bdhAiDN4vyxgw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Are you running iftop in promiscuous mode (-p)?</div>
<div>Is it running as root?</div>
</div>
</blockquote>
<br>
<br>
Thanks Byron, checked a few things...<br>
<br>
<b>sudo iftop -p -i br0</b> only displays occasional DHCP packets,<br>
<br>
<b>sudo tcpdump -i br0</b> and <b>sudo tcpdump
--no-promiscuous-mode -i br0</b> both display all packets
including decoded PPPoE as mentioned earlier - showing that the br0
interface being in promiscuous mode already is working.<br>
<br>
I only really mentioned iftop as an example, although it does
illustrate the problem and is easily replicated.<br>
<br>
I am actually running ntopng as a service on a headless machine,
accessed on port 3000 (standard debian jessie apt install). From
what I can glean from various places, ntopng (as a service) starts
as root, attaches to the interface in promiscuous mode, then drops
privileges and runs as 'nobody'. The actual running process is:<br>
<br>
nobody 13524 3.9 2.7 151588 26424 ? Ssl 13:32 1:08
/usr/sbin/ntopng --daemon --pid /var/tmp/ntopng.pid -w 3000 -i br0<br>
<br>
I tried starting ntopng directly as root with <b>sudo
/usr/sbin/ntopng -w 3000 -i br0</b>. I get a few status lines
logged on the console, everything looks good, including capture on
br0.<br>
<br>
But still no PPPoE packets seen, just occasional DHCP requests.<br>
<br>
Steve<br>
<br>
<br>
<blockquote
cite="mid:CAKO27ZcbBTP7wvhHrViLGZNoGsr9E1f6yrWF+bdhAiDN4vyxgw@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 28, 2017 at 12:28 PM, steve
boak <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sboak@westnet.com.au" target="_blank">sboak@westnet.com.au</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All<br>
<br>
I have an NBN satellite connection which is still not yet up
to the reliability I would like, so I have been
investigating methods of monitoring the connection.<br>
<br>
I have a Rasperry Pi in bridge configuration (extra USB
ethernet adapter) in line between the router and satellite
modem. The router establishes a PPPoE session with Westnet,
so most of the traffic I should see is encapsulated in PPPoE
packets.<br>
<br>
The Pi works well, I can monitor throughput with interface
stats and all passing traffic is visible on the bridge port
br0 when using tcpdump - for example:<br>
<br>
11:21:56.072589 PPPoE [ses 0xe993] LCP, Echo-Request
(0x09), id 203, length 14<br>
11:21:56.073087 PPPoE [ses 0xe993] LCP, Echo-Reply (0x0a),
id 203, length 14<br>
<br>
However, when I use iftop, ntop, or the newer ntopng I can
only see regular IP packets and PPPoE traffic seems to be
ignored or hidden.<br>
<br>
br0 is in promiscuous mode, and all packets are available
because tcpdump can see them.<br>
<br>
pi@raspberrypi:~ $ ifconfig<br>
br0 Link encap:Ethernet HWaddr 70:11:24:8c:e7:9b<br>
inet addr:192.168.100.254 Bcast:192.168.100.255
Mask:255.255.255.0<br>
inet6 addr: fe80::7211:24ff:fe8c:e79b/64
Scope:Link<br>
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
Metric:1<br>
RX packets:1315251 errors:0 dropped:44581
overruns:0 frame:0<br>
TX packets:966 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:0<br>
RX bytes:1019322018 (972.1 MiB) TX bytes:355421
(347.0 KiB)<br>
<br>
eth0 Link encap:Ethernet HWaddr b8:27:eb:02:59:76<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:1115843 errors:0 dropped:0 overruns:0
frame:0<br>
TX packets:637565 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:1137978736 (1.0 GiB) TX bytes:207997192
(198.3 MiB)<br>
<br>
eth1 Link encap:Ethernet HWaddr 70:11:24:8c:e7:9b<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:636600 errors:0 dropped:0 overruns:0
frame:0<br>
TX packets:1116809 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:193628821 (184.6 MiB) TX
bytes:1158423387 (1.0 GiB)<br>
<br>
Is there something I have missed? ntopng looks like it
should decode PPPoE packets, but all I can see is a few DHCP
requests on the interface. The same with iftop.<br>
<br>
Thanks in advance for any ideas...<span class="HOEnZb"><font
color="#888888"><br>
<br>
Steve<br>
<br>
-- <br>
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup,
WA 6275<br>
<br>
______________________________<wbr>_________________<br>
PLUG discussion list: <a moz-do-not-send="true"
href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br>
<a moz-do-not-send="true"
href="http://lists.plug.org.au/mailman/listinfo/plug"
rel="noreferrer" target="_blank">http://lists.plug.org.au/mailm<wbr>an/listinfo/plug</a><br>
Committee e-mail: <a moz-do-not-send="true"
href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a moz-do-not-send="true"
href="http://www.plug.org.au/membership"
rel="noreferrer" target="_blank">http://www.plug.org.au/members<wbr>hip</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PLUG discussion list: <a class="moz-txt-link-abbreviated" href="mailto:plug@plug.org.au">plug@plug.org.au</a>
<a class="moz-txt-link-freetext" href="http://lists.plug.org.au/mailman/listinfo/plug">http://lists.plug.org.au/mailman/listinfo/plug</a>
Committee e-mail: <a class="moz-txt-link-abbreviated" href="mailto:committee@plug.org.au">committee@plug.org.au</a>
PLUG Membership: <a class="moz-txt-link-freetext" href="http://www.plug.org.au/membership">http://www.plug.org.au/membership</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275</pre>
</body>
</html>