nfcapd not capturing any data

This support forum board is for support questions relating to Nagios Network Analyzer, our network traffic and bandwidth analysis solution.
sergey-frontier
Posts: 8
Joined: Fri Feb 11, 2022 11:32 am

Re: nfcapd not capturing any data

Post by sergey-frontier »

Here are the results:

Code: Select all

# chage -l nna
Last password change                                    : Jan 28, 2022
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
# chage -l apache
Last password change                                    : Jan 10, 2022
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1
# grep nna /etc/group
apache:x:48:nna
nnacmd:x:1002:nna,apache

Code: Select all

# ps -ef --cols=300 | grep -Ei 'reap_files.py'
nna      3310272       1  0 Feb17 ?        00:00:00 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/test/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/test/2055.pid -D -e -w -z -T all
nna      3310273 3310272  0 Feb17 ?        00:00:00 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/test/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/test/2055.pid -D -e -w -z -T all
root     3342978 3232172  0 16:25 pts/0    00:00:00 grep --color=auto -Ei reap_files.py

Code: Select all

# ls -lR /usr/local/nagiosna/
/usr/local/nagiosna/:
total 0
drwxrwxr-x 3 nna nnacmd 275 Feb 16 17:32 bin
drwxrwxr-x 2 nna nnacmd  19 Jan 28 16:12 etc
drwxrwxr-x 2 nna nnacmd 215 Jan 28 16:12 scripts
drwxrwxr-x 2 nna nnacmd  19 Jan 28 16:12 tmp
drwxrwxr-x 3 nna nnacmd  88 Jan 31 15:04 var

/usr/local/nagiosna/bin:
total 76
-rwxrwxr-x 1 nna  nnacmd  3465 Feb 16 17:56 capd.py
-rwxrwxr-x 1 nna  nnacmd  2129 Jan 28 16:12 config.py
-rwxrwxr-x 1 nna  nnacmd  3587 Jan 28 16:12 get_square_matrix.py
-rwxrwxr-x 1 nna  nnacmd  5147 Jan 28 16:12 get_square_matrix_query.py
-rwxrwxr-x 1 nna  nnacmd  3477 Jan 28 16:12 initialize_source.py
-rwxrwxr-x 1 nna  nnacmd     0 Jan 28 16:12 __init__.py
-rwxrwxr-x 1 nna  nnacmd  2398 Jan 28 16:12 nagiosna
-rwxrwxr-x 1 nna  nnacmd 10094 Jan 28 16:12 netflow_checks.py
-rwxrwxr-x 1 nna  nnacmd 10908 Jan 28 16:12 nfdump.py
-rwxrwxr-x 1 nna  nnacmd  7368 Jan 28 16:12 notify.py
drwxr-xr-x 2 root root      62 Feb 16 17:56 __pycache__
-rwxr-xr-x 1 root nnacmd  4398 Jan 28 16:12 rc.py
-rwxrwxr-x 1 nna  nnacmd  5158 Jan 28 16:12 reap_files.py

/usr/local/nagiosna/bin/__pycache__:
total 8
-rw-r--r-- 1 root root 2641 Feb 16 17:56 capd.cpython-36.pyc
-rw-r--r-- 1 root root 2513 Feb 16 17:32 config.cpython-36.pyc

/usr/local/nagiosna/etc:
total 0

/usr/local/nagiosna/scripts:
total 36
-rwxrwxr-x 1 nna  nnacmd 3751 Jan 28 16:12 backup_na.sh
-rwxr-xr-x 1 root nnacmd 2300 Jan 28 16:12 change_timezone.sh
-rwxrwxr-x 1 nna  nnacmd 1293 Jan 28 16:12 import_naconfig.php
-rwxr-xr-x 1 root nnacmd 4485 Jan 28 16:12 manage_firewall.sh
-rwxrwxr-x 1 nna  nnacmd  443 Jan 28 16:12 remove_source.sh
-rwxrwxr-x 1 nna  nnacmd 1431 Jan 28 16:12 reset_nagiosadmin_password.sh
-rwxrwxr-x 1 nna  nnacmd 3345 Jan 28 16:12 restore_na.sh
-rwxr-xr-x 1 root nnacmd 2594 Jan 28 16:12 upgrade_to_latest.sh

/usr/local/nagiosna/tmp:
total 0

/usr/local/nagiosna/var:
total 976
-rw-r--r-- 1 nna nnacmd 993529 Feb 17 23:38 backend.log
-rw-r--r-- 1 nna users       0 Feb 18 16:00 cache.log
-rw-r--r-- 1 nna users      21 Feb 18 16:25 cmdsubsys.log
drwsrwxr-t 3 nna users      56 Feb 17 23:38 test

/usr/local/nagiosna/var/test:
total 1268
-rw-r--r-- 1 nna nnacmd       8 Feb 17 23:38 2055.pid
-rw-r--r-- 1 nna users  1255360 Jan 31 15:04 bandwidth.rrd
drwxr-xr-x 2 nna users    20480 Feb 18 16:25 flows

/usr/local/nagiosna/var/test/flows:
total 2240
...
-rw-r--r-- 1 nna nnacmd 276 Feb 18 16:20 nfcapd.202202181615
-rw-r--r-- 1 nna nnacmd 276 Feb 18 16:25 nfcapd.202202181620
-rw-r--r-- 1 nna nnacmd 276 Feb 18 16:25 nfcapd.current.3310267

Code: Select all

# python -V
Python 3.6.8

Code: Select all

# cat /etc/sudoers.d/nagiosna

Defaults:%nnacmd !requiretty
Defaults:nna !requiretty

nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/change_timezone.sh
nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/upgrade_to_latest.sh

%nnacmd ALL=(ALL) NOPASSWD:/bin/kill *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/bin/rc.py *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/manage_firewall.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/remove_source.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart httpd
Everything looks correct to me.
sergey-frontier
Posts: 8
Joined: Fri Feb 11, 2022 11:32 am

Re: nfcapd not capturing any data

Post by sergey-frontier »

It just dawned on me that when I run netcat on udp 2055 I do not see any incoming netflow data, so it seems this is not nfcapd issue.
This is really bizarre. I can dump data with tcpdump, but it doesn't go to the next layer? The suspect is firewall, but I tried enabling firewalld and allowing udp 2055, it didn't resolve the issue.

I think I'll have to set up another server and try the setup again from scratch.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: nfcapd not capturing any data

Post by ssax »

Please note that Nagios Network Analyzer doesn't currently support Rocky/Alma Linux, you will need to install on a supported distribution to get support on it, you can see the top of the install guide here for the supported distributions:

https://assets.nagios.com/downloads/nag ... ctions.pdf

Thank you!
sergey-frontier
Posts: 8
Joined: Fri Feb 11, 2022 11:32 am

Re: nfcapd not capturing any data

Post by sergey-frontier »

So UDP packets were getting filtered, because reverse path to sender routers couldn't be verified. I was able to resolve this by turning off reverse path filter:
sysctl -w net.ipv4.conf.all.rp_filter=0
This is really specific to our (perhaps incorrect) network setup.

Data is being written now, but not processed.
nfdump shows INVALID for all records in Event column and Ignore for all records in XEvent column, what could be the cause of this?
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: nfcapd not capturing any data

Post by ssax »

You will need to install our product on a supported distribution to get support for it, we do not currently support Rocky/Alma Linux so it's not something we will provide support for.

Once it's installed on a supported distribution if you are still having issues we will continue to provide support for it.

I apologize for any inconvenience this may cause you!

Thank you!
Locked