Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nProbe IPS failure on Rocky Linux 9 #581

Open
cardigliano opened this issue Jul 24, 2023 · 2 comments
Open

nProbe IPS failure on Rocky Linux 9 #581

cardigliano opened this issue Jul 24, 2023 · 2 comments
Assignees
@lucaderi
Labels
bug

Comments

@cardigliano
Copy link
Member

nProbe IPS fails on Rocky Linux 9 due to a double bind to two sockets tied to the same process pid. For some reason this is not allowed on RH kernels (this is working on Ubuntu/Debian). This should be addresses avoiding the creation of the second socket if possible.

Failure message:

[LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket

Commands to reproduce it:

  • sudo ntopng -i tcp://127.0.0.1:1234
  • sudo nprobe -i ens192 --zmq tcp://127.0.0.1:1234 --agent-mode
@infinitynet2011
Copy link

infinitynet2011 commented Sep 29, 2024
edited
Loading

Hello!

Same here:

[root@nprobe system]# journalctl -u nprobe-ens1f0.service
Sep 30 02:14:59 nprobe systemd[1]: Started nProbe service for interface ens1f0.
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [plugin.c:177] No plugins found in ./plugins
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [plugin.c:185] Loading 22 plugins [.so] from /usr/lib/nprobe/plugins
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:6967] WARNING: If you want to preserve the -M value, please specify -w before -M
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8240] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8243] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8346] Welcome to nProbe v.10.6.240927 for x86_64-pc-linux-gnu with native PF_RING acceleration
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8368] Enterprise M Edition running on Rocky Linux release 9.3 (Blue Onyx)
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8376] Current limits [16 ZMQ exporters][16 collector devices]
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8391] SystemId: L7DB098D2B205A206--U7DB098D2676D0F08--OL
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:8484] Sample rate [packet: 1][flow collection/export: 1/1]
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [smtpPlugin.c:106] [SMTP] Log files will be saved in /var/log/ntopng/smtp
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:10563] Using template @NTOPNG@ %SRC_PROC_NAME %SRC_PROC_PID %SRC_PROC_CMDLINE %SRC_PROC_CONTAINER_ID %DST_PROC_NAME %DST_PROC_PID %DST_PROC_CMDLINE %DST_PROC_CONTAI>
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:10565] Using NetFlow Packet Payload Len: 1472
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:10450] @NTOPNG@ expanded to " %IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV>
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [template.c:3625] WARNING: Unable to locate template 'NPROBE_IPV6_ADDRESS'. Discarded.
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [template.c:3625] WARNING: Unable to locate template 'NPROBE_IPV6_ADDRESS'. Discarded.
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [plugin.c:1204] 3 plugin(s) enabled
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:11115] Each flow is 1163 bytes long
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:11116] The # flows per packet has been set to 1
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:11119] IP TOS is accounted
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:12098] Flow export type (-T): bidirectional flows
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:12292] Flows ASs will not be computed (no GeoDB files loaded with --as-list)
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:12324] Flows will be exported in NetFlow 9 format
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [nprobe.c:12370] Learning the public IP address.. Disable it with --disable-startup-checks
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [util.c:6659] Initializing ZMQ as server
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [util.c:6696] Successfully created ZMQ endpoint tcp://*:5556
Sep 30 02:14:59 nprobe nprobe[3749]: 30/Sep/2024 02:14:59 [pf_ring.c:434] Initializing PF_RING socket on device zc:ens1f0.. (promisc)
Sep 30 02:15:00 nprobe nprobe[3749]: 30/Sep/2024 02:15:00 [pf_ring.c:476] Dumping traffic statistics on /proc/net/pf_ring/stats/3749-ens1f0.6
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [pf_ring.c:556] PF_RING enabled on zc:ens1f0
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [nprobe.c:12570] Capturing packets from PF_RING interface zc:ens1f0
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [nprobe.c:12589] WARNING: You need to use --redis with %FLOW_USER_NAME: using 127.0.0.1
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [util.c:5463] nProbe changed user to 'nprobe'
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [plugin.c:999] Enabling plugin DNS/LLMNR Protocol
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [plugin.c:999] Enabling plugin HTTP Protocol
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [plugin.c:999] Enabling plugin SMTP Protocol
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [export.c:487] Using TLV as serialization format
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [nprobe.c:12876] nProbe started successfully
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [pf_ring.c:269] Packet copy enabled
Sep 30 02:15:01 nprobe nprobe[3749]: 30/Sep/2024 02:15:01 [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 02:15:01 nprobe nprobe[3749]: [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 02:15:01 nprobe systemd[1]: nprobe-ens1f0.service: Deactivated successfully.

[ntopng Enterprise M v.6.3.240928 (Rocky Linux release 9.3)

Thank you,
Gabriel

@infinitynet2011
Copy link

Hello,

I think I can provide more info, I hope will be useful:

root@nprobe system]# systemctl status nprobe-vlan*.service
● nprobe-vlan11.service - nProbe service for interface vlan11
Loaded: loaded (/etc/systemd/system/nprobe-vlan11.service; enabled; preset: disabled)
Active: active (running) since Mon 2024-09-30 03:09:02 EEST; 3s ago
Main PID: 5207 (nprobe@2055)
Tasks: 7 (limit: 203517)
Memory: 21.2M
CPU: 209ms
CGroup: /system.slice/nprobe-vlan11.service
└─5207 /usr/bin/nprobe --interface vlan11 --ntopng "tcp://:555555" --agent-mode -n none -3 2055 -w 524288 -T @NTOPNG@ "--collection-filter=!188..*.82" --smtp-dump-dir /var/log/ntopng/smtp/

Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [nprobe.c:12370] Learning the public IP address.. Disable it with --disable-startup-checks
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [util.c:6659] Initializing ZMQ as server
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [util.c:6696] Successfully created ZMQ endpoint tcp://*:555555
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [nprobe.c:12562] Not capturing packet from interface (collector mode)
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [util.c:5408] Enlarged socket buffer [echo 8388608 > /proc/sys/net/core/rmem_max]
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [util.c:5463] nProbe changed user to 'nprobe'
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [collect.c:248] Flow collector listening on port 2055 (IPv4/v6)
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [export.c:487] Using TLV as serialization format
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [nprobe.c:12876] nProbe started successfully
Sep 30 03:09:03 nprobe nprobe[5207]: 30/Sep/2024 03:09:03 [collect.c:3496] Collecting flows from 192.168.101.1 [total: 1/16]

● nprobe-vlan312.service - nProbe service for interface vlan312
Loaded: loaded (/etc/systemd/system/nprobe-vlan312.service; enabled; preset: disabled)
Active: active (running) since Mon 2024-09-30 03:09:02 EEST; 3s ago
Main PID: 5208 (nprobe@2054)
Tasks: 7 (limit: 203517)
Memory: 20.6M
CPU: 206ms
CGroup: /system.slice/nprobe-vlan312.service
└─5208 /usr/bin/nprobe --interface vlan312 --ntopng "tcp://:5554" --agent-mode -n none -3 2054 -w 524288 -T @NTOPNG@ "--collection-filter=!188..*.82" --smtp-dump-dir /var/log/ntopng/smtp/

Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [nprobe.c:12324] Flows will be exported in NetFlow 9 format
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [nprobe.c:12370] Learning the public IP address.. Disable it with --disable-startup-checks
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [util.c:6659] Initializing ZMQ as server
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [util.c:6696] Successfully created ZMQ endpoint tcp://*:5554
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [nprobe.c:12562] Not capturing packet from interface (collector mode)
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [util.c:5408] Enlarged socket buffer [echo 8388608 > /proc/sys/net/core/rmem_max]
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [util.c:5463] nProbe changed user to 'nprobe'
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [collect.c:248] Flow collector listening on port 2054 (IPv4/v6)
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [export.c:487] Using TLV as serialization format
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [nprobe.c:12876] nProbe started successfully

Until the probe receives the first flow

[root@nprobe system]# systemctl status nprobe-vlan*.service
○ nprobe-vlan11.service - nProbe service for interface vlan11
Loaded: loaded (/etc/systemd/system/nprobe-vlan11.service; enabled; preset: disabled)
Active: inactive (dead) since Mon 2024-09-30 03:09:10 EEST; 1min 6s ago
Duration: 8.103s
Process: 5207 ExecStart=/usr/bin/nprobe --interface vlan11 --ntopng tcp://:555555 --agent-mode -n none -3 2055 -w 524288 -T @NTOPNG@ --collection-filter=!188..*.82 --smtp-dump-dir /var/log/ntopng/smtp/ (code=exited, status=>
Main PID: 5207 (code=exited, status=0/SUCCESS)
CPU: 222ms

Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [util.c:5463] nProbe changed user to 'nprobe'
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [collect.c:248] Flow collector listening on port 2055 (IPv4/v6)
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [export.c:487] Using TLV as serialization format
Sep 30 03:09:02 nprobe nprobe[5207]: 30/Sep/2024 03:09:02 [nprobe.c:12876] nProbe started successfully
Sep 30 03:09:03 nprobe nprobe[5207]: 30/Sep/2024 03:09:03 [collect.c:3496] Collecting flows from 192.168.101.1 [total: 1/16]
Sep 30 03:09:09 nprobe nprobe[5207]: 30/Sep/2024 03:09:09 [collect.c:1867] Added new flow template definition [id=256][flow_version=9][netflow_device=192.168.101.1:2055][observation_domain_id=0][total=1]
Sep 30 03:09:09 nprobe nprobe[5207]: 30/Sep/2024 03:09:09 [collect.c:1867] Added new flow template definition [id=257][flow_version=9][netflow_device=192.168.101.1:2055][observation_domain_id=0][total=2]
Sep 30 03:09:10 nprobe nprobe[5207]: 30/Sep/2024 03:09:10 [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 03:09:10 nprobe nprobe[5207]: [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 03:09:10 nprobe systemd[1]: nprobe-vlan11.service: Deactivated successfully.

○ nprobe-vlan312.service - nProbe service for interface vlan312
Loaded: loaded (/etc/systemd/system/nprobe-vlan312.service; enabled; preset: disabled)
Active: inactive (dead) since Mon 2024-09-30 03:09:11 EEST; 1min 4s ago
Duration: 9.536s
Process: 5208 ExecStart=/usr/bin/nprobe --interface vlan312 --ntopng tcp://:5554 --agent-mode -n none -3 2054 -w 524288 -T @NTOPNG@ --collection-filter=!188..*.82 --smtp-dump-dir /var/log/ntopng/smtp/ (code=exited, status=0>
Main PID: 5208 (code=exited, status=0/SUCCESS)
CPU: 221ms

Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [util.c:5463] nProbe changed user to 'nprobe'
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [collect.c:248] Flow collector listening on port 2054 (IPv4/v6)
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [export.c:487] Using TLV as serialization format
Sep 30 03:09:02 nprobe nprobe[5208]: 30/Sep/2024 03:09:02 [nprobe.c:12876] nProbe started successfully
Sep 30 03:09:05 nprobe nprobe[5208]: 30/Sep/2024 03:09:05 [collect.c:3496] Collecting flows from 192.168.15.1 [total: 1/16]
Sep 30 03:09:10 nprobe nprobe[5208]: 30/Sep/2024 03:09:10 [collect.c:1867] Added new flow template definition [id=256][flow_version=9][netflow_device=192.168.15.1:2054][observation_domain_id=0][total=1]
Sep 30 03:09:10 nprobe nprobe[5208]: 30/Sep/2024 03:09:10 [collect.c:1867] Added new flow template definition [id=257][flow_version=9][netflow_device=192.168.15.1:2054][observation_domain_id=0][total=2]
Sep 30 03:09:11 nprobe nprobe[5208]: 30/Sep/2024 03:09:11 [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 03:09:11 nprobe nprobe[5208]: [LinuxSocketMonitor.cpp:103] ERROR: Unable to bind socket
Sep 30 03:09:11 nprobe systemd[1]: nprobe-vlan312.service: Deactivated successfully.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucaderi lucaderi

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lucaderi @cardigliano @infinitynet2011