BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
Forgot your password? Forgot your username? Create an account
Issues related to installation, running, bugs, and features.
  • Page:
  • 1

TOPIC: Problem with Packet Capture

Problem with Packet Capture 10 years 9 months ago #3883

I am trying to setup Trisul so that it only captures packets on port 53, 80 and 8080. I do not seem to be capturing any traffic. Here are some of the settings I have in trisulconfig.xml file. Am I missing a setting or have a typo?

<Ring>
<Enabled>True</Enabled>
<BaseDir>/usr/local/var/lib/trisul/CONTEXT0/caps</BaseDir>
<Encryption>AES-128-CTR</Encryption>
<PassphraseFile>/usr/local/etc/trisul/certs/ringpass.txt</PassphraseFile>
<FilePrefix>RCF_</FilePrefix>
<FileSizeMB>1000</FileSizeMB>

<SyncSeconds>60</SyncSeconds>
<SysStatsUpdateSecs>2</SysStatsUpdateSecs>

<DefaultMode>IGNORE</DefaultMode>
<RuleChain>
<Rule mode="FULL">{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}=p-0050,p-1F90,p-0035</Rule>
<Rule mode="FLOWCAP10M"></Rule>
<Rule mode="FLOWCAP1M"></Rule>
<Rule mode="FLOWCAP100K"></Rule>
<Rule mode="FLOWCAP10K"></Rule>
<Rule mode="HEADERS"></Rule>
<Rule mode="IGNORE"></Rule>
</RuleChain>
The administrator has disabled public write access.

Problem with Packet Capture 10 years 9 months ago #3884

  • ,,
  • ,,'s Avatar
Hi,

That looks good. In fact I copy pasted the config and it worked fine in both the 3-day free license as well as the fully licensed version.

Do you have any process named trisul_dpitool running ?

1) ps -C trisul_dpitool
2) Kill the above process
2) Now retry.

Secondly,

Are you not capturing any packets or are you not seeing any traffic ?
Can you check Admin >Start / Stop Tasks > Trisul Database ? Then go to Full Content Slices. Are you seeing some numbers there?


Thanks,
Last Edit: 10 years 9 months ago by vivek [unleash].
The administrator has disabled public write access.

Problem with Packet Capture 10 years 9 months ago #3885

The traffic seems to be getting metered correctly. All the graphs draw in correctly the badfellas plugin is working etc.

The command ps -C trisul_dpitool returns nothing.

The full content database seems to be storing data. I get a 1GB slice every 3-5 minutes during the day. When I pick a flow on port 80 or 8080 and select download PCAP I get the generic error message:

Unable to retrieve pcap of the requested item

Possible reasons:
Time not in range
Ensure pcaps are enabled in Trisul
PCAP not available yet

URL details works fine on HTTP traffic. Only the PCAPs are giving me problems right now. I am getting the data from a couple of span ports instead of a direct tap. If the span was not setup correctly or the switch is too busy, I may be missing some packets. Would that cause problems with the full storage database, but not the metering?
The administrator has disabled public write access.

Problem with Packet Capture 10 years 9 months ago #3886

Hi Tim,

If metering works, there ought to be no problem with the storage. Can you share the output of the following ?

1. output 1
grep dpitool /usr/local/var/log/trisul/webtrisul/production.log | tail -n 1

2. output 2
dmesg | grep dpitool
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.
  • Page:
  • 1
Moderators: vivek [unleash]
Time to create page: 0.030 seconds

Sitemap | Privacy

Copyright © 2011-14 Unleash Networks