DOL at ft
Feb 25, 2011, 7:58 AM
Post #1 of 1
(332 views)
Permalink
|
Hi,
I'm trying to perform HTTP Logging on mirrored GTP traffic, but only a minimal amount of entries are exported.
I'm using the HTTP plugin successfully on the same machine with non-GTP traffic.
I've done some analysis and I can't figure out why so few, or no, log entries are exported, when there clearly is more HTTP traffic there. I've done traces to confirm this.
A 4MB tcpdump trace shows almost 6000 packets on port 80, to and from various ip addresses.
The output from nprobe with -b show only 23 'Emitting Flow' lines, where destination is port 80 or 8080, like this one:
25/Feb/2011 15:46:04 [engine.c:1332] Emitting Flow: [->][tcp] 10.120.3.224:58172 -> xx.129.226.20:80 [7 pkt/1062 bytes][ifIdx 0->0][1.3 sec] [TunnelId 1298026309]
But in this period NO entry was written in the http_igb1_timestamp.txt file.
This is how I started the process:
/usr/local/bin/nprobe -n none -i igb1 --tunnel --http-dump-dir /data/HTTP -b 2
nProbe version: nprobe_6.1.6_013011_proplugins
OS: FreeBSD 8.1 (i386)
What can be the issue here?
I've had this running for a few hours and occasionally some URLs are exported.
Regards,
Dánial
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
|
