ULOG / netlink errors

ULOG / netlink errors

[Abraham van der Merwe]

Hi!

I'm trying to gather statistics (for netflow stats) using ULOG.

What I do:

# tag packets
iptables -A FORWARD -j ULOG --ulog-cprange 64 --ulog-nlgroup 1

Then I open a netlink socket (socket AF_NETLINK,SOCK_RAW,NETLINK_NFLOG),
increase the receive buffer size to NLBUFSIZ and capture messages using
recvfrom().

I keep getting these errors:

------------< snip <------< snip <------< snip <------------
root@mojo:~# ./tuxprobe
Starting to log output.
recvfrom failed: No buffer space available
recvfrom failed: No buffer space available
recvfrom failed: No buffer space available
recvfrom failed: No buffer space available
...
------------< snip <------< snip <------< snip <------------

I have tried increasing the socket buffer size with:

sysctl -w net/core/rmem_max=1048576
sysctl -w net/core/rmem_default=1048576

(and even 4MB buffer sizes)

which doesn't help. I've also decreased the capture length to 64 bytes, but
I still get the same errors.

Could somebody please tell me how to solve this problem and/or why capturing
packets via a netlink socket might be a bad idea?

With libpcap (or normal raw socket) on the same machine I have no problems
capturing all the data, even with capturing complete packets so I can't see
why above doesn't/shouldn't work.

-- 

Regards
 Abraham

TODAY the Pond!
TOMORROW the World!
                -- Frogs (1972)

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 1st Floor, Albion Springs, 183 Main Road, Newlands
 Phone: +27 21 689 3876 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net

Re: ULOG / netlink errors

[Pablo Neira]

Abraham van der Merwe wrote:

>I'm trying to gather statistics (for netflow stats) using ULOG.
>  
>

Maybe the ulog target isn't the best way to gather info stats. What kind 
of stats are you gathering to be precise?

>What I do:
>
># tag packets
>iptables -A FORWARD -j ULOG --ulog-cprange 64 --ulog-nlgroup 1
>  
>

try also with:

modprobe ipt_ULOG nlbufsiz=131068

it's the size of the internal buffer which is sent to user space.

Some maths: 131068/64=2047, so that tells me that --ulog-qthreshold 
value should be lower/equal than that.

>Then I open a netlink socket (socket AF_NETLINK,SOCK_RAW,NETLINK_NFLOG),
>increase the receive buffer size to NLBUFSIZ and capture messages using
>recvfrom().
>
>I keep getting these errors:
>
>------------< snip <------< snip <------< snip <------------
>root@mojo:~# ./tuxprobe
>Starting to log output.
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>recvfrom failed: No buffer space available
>...
>------------< snip <------< snip <------< snip <------------
>
>I have tried increasing the socket buffer size with:
>
>sysctl -w net/core/rmem_max=1048576
>sysctl -w net/core/rmem_default=1048576
>  
>

this is ok, it's always a good idea to reduce the probability of an 
overflow. But I think that you'll have problems anyway with traffers 
rates bigger than ~20 Mbits/s.

>With libpcap (or normal raw socket) on the same machine I have no problems
>capturing all the data, even with capturing complete packets so I can't see
>why above doesn't/shouldn't work.
>  
>

AFAIK libpcap has also known limitations 
(http://luca.ntop.org/Ring.pdf), so for high tranfers rate you'll also 
get fake numbers. I don't track its status so don't know if they were 
already fixed.

--
Pablo

Re: ULOG / netlink errors

[Pablo Neira]

Pablo Neira wrote:

> this is ok, it's always a good idea to reduce the probability of an 
> overflow. But I think that you'll have problems anyway with traffers 
> rates bigger than ~20 Mbits/s.


well, this is true in ip_queue, don't know in ipt_ULOG, it depends on 
three/four parameters.

--
Pablo

Re: ULOG / netlink errors

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 975 bytes --]

On Sun, Nov 28, 2004 at 09:50:04PM +0100, Pablo Neira wrote:
> Pablo Neira wrote:
> 
> >this is ok, it's always a good idea to reduce the probability of an 
> >overflow. But I think that you'll have problems anyway with traffers 
> >rates bigger than ~20 Mbits/s.
> 
> 
> well, this is true in ip_queue, don't know in ipt_ULOG, it depends on 
> three/four parameters.

just to let you know: there are people doing ULOG based acounting on >=
100MBit.  So it's not as bad as you think it is ;)

[no, I'm not advertising the use of ulog for accounting.  That's not
what it was menat for].

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ULOG / netlink errors

[Pablo Neira]

Harald Welte wrote:

>On Sun, Nov 28, 2004 at 09:50:04PM +0100, Pablo Neira wrote:
>  
>
>>Pablo Neira wrote:
>>
>>    
>>
>>>this is ok, it's always a good idea to reduce the probability of an 
>>>overflow. But I think that you'll have problems anyway with traffers 
>>>rates bigger than ~20 Mbits/s.
>>>      
>>>
>>well, this is true in ip_queue, don't know in ipt_ULOG, it depends on 
>>three/four parameters.
>>    
>>
>
>just to let you know: there are people doing ULOG based acounting on >=
>100MBit.  So it's not as bad as you think it is ;)
>

I love netlink sockets, but loving someone/something implies knowing 
their limitations as well :)

I think that it depends on the settings, let me see what happen with an 
insane iptables rule like: iptables -I INPUT -j ULOG

>[no, I'm not advertising the use of ulog for accounting.  That's not
>what it was menat for].
>

I do also use ULOG(tm) to log packets, Since I do my hamster pet looks 
happier ;)

--
Pablo