BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
Issues related to installation, running, bugs, and features.
  • Page:
  • 1

TOPIC: Problem with Packet Capture

Problem with Packet Capture 7 years 2 months ago #3883

I am trying to setup Trisul so that it only captures packets on port 53, 80 and 8080. I do not seem to be capturing any traffic. Here are some of the settings I have in trisulconfig.xml file. Am I missing a setting or have a typo?

<Ring>
<Enabled>True</Enabled>
<BaseDir>/usr/local/var/lib/trisul/CONTEXT0/caps</BaseDir>
<Encryption>AES-128-CTR</Encryption>
<PassphraseFile>/usr/local/etc/trisul/certs/ringpass.txt</PassphraseFile>
<FilePrefix>RCF_</FilePrefix>
<FileSizeMB>1000</FileSizeMB>

<SyncSeconds>60</SyncSeconds>
<SysStatsUpdateSecs>2</SysStatsUpdateSecs>

<DefaultMode>IGNORE</DefaultMode>
<RuleChain>
<Rule mode="FULL">{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}=p-0050,p-1F90,p-0035</Rule>
<Rule mode="FLOWCAP10M"></Rule>
<Rule mode="FLOWCAP1M"></Rule>
<Rule mode="FLOWCAP100K"></Rule>
<Rule mode="FLOWCAP10K"></Rule>
<Rule mode="HEADERS"></Rule>
<Rule mode="IGNORE"></Rule>
</RuleChain>
The administrator has disabled public write access.

Problem with Packet Capture 7 years 2 months ago #3884

  • ,,
  • ,,'s Avatar
Hi,

That looks good. In fact I copy pasted the config and it worked fine in both the 3-day free license as well as the fully licensed version.

Do you have any process named trisul_dpitool running ?

1) ps -C trisul_dpitool
2) Kill the above process
2) Now retry.

Secondly,

Are you not capturing any packets or are you not seeing any traffic ?
Can you check Admin >Start / Stop Tasks > Trisul Database ? Then go to Full Content Slices. Are you seeing some numbers there?


Thanks,
Last Edit: 7 years 2 months ago by vivek [unleash].
The administrator has disabled public write access.

Problem with Packet Capture 7 years 2 months ago #3885

The traffic seems to be getting metered correctly. All the graphs draw in correctly the badfellas plugin is working etc.

The command ps -C trisul_dpitool returns nothing.

The full content database seems to be storing data. I get a 1GB slice every 3-5 minutes during the day. When I pick a flow on port 80 or 8080 and select download PCAP I get the generic error message:

Unable to retrieve pcap of the requested item

Possible reasons:
Time not in range
Ensure pcaps are enabled in Trisul
PCAP not available yet

URL details works fine on HTTP traffic. Only the PCAPs are giving me problems right now. I am getting the data from a couple of span ports instead of a direct tap. If the span was not setup correctly or the switch is too busy, I may be missing some packets. Would that cause problems with the full storage database, but not the metering?
The administrator has disabled public write access.

Problem with Packet Capture 7 years 2 months ago #3886

Hi Tim,

If metering works, there ought to be no problem with the storage. Can you share the output of the following ?

1. output 1
grep dpitool /usr/local/var/log/trisul/webtrisul/production.log | tail -n 1

2. output 2
dmesg | grep dpitool
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.
  • Page:
  • 1
Moderators: vivek [unleash]
Time to create page: 0.041 seconds