Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

nProbe plugin problem after upgrading to nProbe 6.9.2

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


kpmceachern at gmail

Mar 19, 2012, 11:02 AM

Post #1 of 3 (578 views)
Permalink
nProbe plugin problem after upgrading to nProbe 6.9.2

Hi,

I have an nProbe plugin that adds a custom 4-byte numeric field to flow
records (NetFlow v9). It works fine in nprobe_6.7.3_122311_pro but is not
working in nprobe_6.9.2_021712_pro. The symptom is that some flow records
are exported with the custom field set correctly, but many are exported
with a zero value and the plugin's PluginExportFctn is not being called. I
investigated and found that in 6.7.3 there are always 2 templates (IPv4,
IPv6) created, whether the plugin is present or not. In 6.9.2 there are 4
templates created when the plugin is present: 2 containing the custom field
and two without it. It looks like many of the flow records are being
exported using the templates than don't contain the custom field.

I think my plugin code is okay but I'd like to confirm given the plugin API
slightly changed in 6.9.2. I'm setting the 2 new fields in
V9V10TemplateElementId (isInUse, protoMode) the same as dumpPlugin.c but
also tried changing isInUse. For the 2 new fields in PluginEntryPoint
(v4TemplateIdx, v6TemplateIdx) I copied dumpPlugin.c (0, 0) but also tried
V4_TEMPLATE_INDEX, V6_TEMPLATE_INDEX and 2,3. So far I haven't found
anything that made a difference.

I'll stick with 6.7.3 for now but any insight would be much appreciated,
Karen


deri at ntop

Mar 21, 2012, 1:04 PM

Post #2 of 3 (515 views)
Permalink
Re: nProbe plugin problem after upgrading to nProbe 6.9.2 [In reply to]

Karen
The current nProbe is changed significantly with respect to ten old version. We have already addressed many issues in the current version (6.9.3) Please tell me how to reproduce the issue and I will address it.

Thanks Luca

Sent from my iPad (sorry for typos)

On 19/mar/2012, at 19:02, Karen McEachern <kpmceachern [at] gmail> wrote:

> Hi,
>
> I have an nProbe plugin that adds a custom 4-byte numeric field to flow records (NetFlow v9). It works fine in nprobe_6.7.3_122311_pro but is not working in nprobe_6.9.2_021712_pro. The symptom is that some flow records are exported with the custom field set correctly, but many are exported with a zero value and the plugin's PluginExportFctn is not being called. I investigated and found that in 6.7.3 there are always 2 templates (IPv4, IPv6) created, whether the plugin is present or not. In 6.9.2 there are 4 templates created when the plugin is present: 2 containing the custom field and two without it. It looks like many of the flow records are being exported using the templates than don't contain the custom field.
>
> I think my plugin code is okay but I'd like to confirm given the plugin API slightly changed in 6.9.2. I'm setting the 2 new fields in V9V10TemplateElementId (isInUse, protoMode) the same as dumpPlugin.c but also tried changing isInUse. For the 2 new fields in PluginEntryPoint (v4TemplateIdx, v6TemplateIdx) I copied dumpPlugin.c (0, 0) but also tried V4_TEMPLATE_INDEX, V6_TEMPLATE_INDEX and 2,3. So far I haven't found anything that made a difference.
>
> I'll stick with 6.7.3 for now but any insight would be much appreciated,
> Karen
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


kpmceachern at gmail

Mar 22, 2012, 4:02 PM

Post #3 of 3 (514 views)
Permalink
Re: nProbe plugin problem after upgrading to nProbe 6.9.2 [In reply to]

Luca,

It should be reproducible by creating a simple skeleton nProbe plugin that
defines a new numeric field like this:

static V9V10TemplateElementId xxx_template[] = {
{ 0, BOTH_IPV4_IPV6, FLOW_TEMPLATE, LONG_SNAPLEN, NTOP_ENTERPRISE_ID,
BASE_ID, STATIC_FIELD_LEN, 4, numeric_format, dump_as_uint,
"NEW_FIELD", "", "New field" }, ... }

and have the plugin_export() function generate a traceEvent when its called
and hardcode the exported value to something non-zero. First start nProbe
with no plugins and "-b 2" and notice the logs show there are 2 templates
created. Then run nProbe with the skeleton plugin and a small PCAP file as
input and notice the logs show there are now 4 templates, the
plugin_export() doesn't get called for every flow record exported, and some
of the flow records exported to the collector port contain zero for
NEW_FIELD. I don't suggest using "-D t" to check the flow record contents
because I think the plugin_print() function was getting called each time a
flow record was emitted and so the text format was correct.

My PluginEntryPoint looks like the one below. If you're not able to
reproduce the problem please let me know and I'll try to create a
reproducer.
Karen
____

static PluginEntryPoint xxx_plugin = {
NPROBE_REVISION,
"Short description",
"0.1" /* plugin version */,
"Long description",
"Author",
0 /* not always enabled */,
1 /* enabled */,
PLUGIN_DONT_NEED_LICENSE,
xxx_plugin_init,
xxx_plugin_term,
xxx_plugin_conf,
xxx_plugin_delete,
1 /* call plugin_packet for each packet */,
xxx_plugin_packet,
xxx_plugin_get_template,
xxx_plugin_export,
xxx_plugin_print,
xxxl_plugin_stats,
xxx_plugin_setup,
xxx_plugin_help,
xxx_plugin_idle_task,
V4_TEMPLATE_INDEX,
V6_TEMPLATE_INDEX
};

Karen
> The current nProbe is changed significantly with respect to ten old
> version. We have already addressed many issues in the current version
> (6.9.3) Please tell me how to reproduce the issue and I will address it.
>
> Thanks Luca
>
> Sent from my iPad (sorry for typos)
>
> On 19/mar/2012, at 19:02, Karen McEachern <kpmceachern [at] gmail> wrote:
>
> > Hi,
> >
> > I have an nProbe plugin that adds a custom 4-byte numeric field to flow
> records (NetFlow v9). It works fine in nprobe_6.7.3_122311_pro but is not
> working in nprobe_6.9.2_021712_pro. The symptom is that some flow records
> are exported with the custom field set correctly, but many are exported
> with a zero value and the plugin's PluginExportFctn is not being called. I
> investigated and found that in 6.7.3 there are always 2 templates (IPv4,
> IPv6) created, whether the plugin is present or not. In 6.9.2 there are 4
> templates created when the plugin is present: 2 containing the custom field
> and two without it. It looks like many of the flow records are being
> exported using the templates than don't contain the custom field.
> >
> > I think my plugin code is okay but I'd like to confirm given the plugin
> API slightly changed in 6.9.2. I'm setting the 2 new fields in
> V9V10TemplateElementId (isInUse, protoMode) the same as dumpPlugin.c but
> also tried changing isInUse. For the 2 new fields in PluginEntryPoint
> (v4TemplateIdx, v6TemplateIdx) I copied dumpPlugin.c (0, 0) but also tried
> V4_TEMPLATE_INDEX, V6_TEMPLATE_INDEX and 2,3. So far I haven't found
> anything that made a difference.
> >
> > I'll stick with 6.7.3 for now but any insight would be much appreciated,
> > Karen
>

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.