rock icon indicating copy to clipboard operation
rock copied to clipboard

Published 20 hours ago verified publisher icon rocknsm

stenoread only reads from a single interface

Open kwilson7770 opened this issue 7 years ago • 3 comments

stenoread does not read from all interfaces. It defaults to the interface running on same host and port specified in /etc/stenographer/config. I have already fixed the problem though...

tl;dr install wireshark with your standard RockNSM image to allow for the stenoread hack to function properly and don't forget to include the stenoread hack with the fix since /usr/bind/stenoread was the default script.

After spending a great deal of time trying to figure out why stenoread was not reading traffic from a second NIC and discovering there is practically zero hits in Google searches when looking for documentation on how stenoread processes two stenographer packet captures, I came across this:

https://github.com/google/stenographer/issues/122

dcode's comment on Nov 2, 2016 talks about his hack-ish work around to get support for multiple interfaces within stenographer. He created a gist located here:

https://gist.github.com/dcode/9051a4aa7338b6c946d0a2de189912ec

If you scroll down to the stenoread file, on line 81, you can see the use of the mergecap tool to combine the two separate pcaps into one. Unfortunately, this is not installed by default. So far, the only place I can find this file is within wireshark. I used a website called RPM Find (https://www.rpmfind.net/linux/rpm2html/search.php?query=mergecap) to see where it was installed and wireshark was the only piece of software I could find by searching with yum. After installing wireshark, the command mergecap was available. Please install wireshark within your RockNSM builds and please include it to be updated and what not.

The second issue I discovered that the gist version of stenoread was not included in the RockNSM 2.0.5 install. In addition, it seems that you must add the command export to line 72 (export STENOGRAPHER_CONFIG="${STENOGRAPHER_CONFIG_BASE}${IFACE}") for the script modifications to work. After replacing the standard /usr/bin/stenoread script with the one and gist and adding the word export to the beginning of line 72, I was finally able to get traffic from both of my interfaces! This took me about 10 hours today to troubleshoot, identify what is going on, and fix it (that does not include the amount of time spent from previous days). Please update your system to include the gist version of stenoread with the line 72 change I documented above.

I then ran stenoread once more, and traffic from my other interface was now available and being processed.

Thanks

kwilson7770 avatar Jun 18 '17 01:06 kwilson7770

I noticed that 2.0.5 has the correct stenoread file and that 2.0 also has the stenoread file. I originally installed 2.0 in an online environment and later upgraded to 2.0.5. Still trying to find out where I could have received the wrong version of the file.

kwilson7770 avatar Jun 18 '17 12:06 kwilson7770

I am pretty sure I figured it out. I just installed an offline Rock 2.0.5 in a virtual machine. The install failed the first time due to a bad configuration on my NICs. The second install worked just fine and it never replaced /usr/bin/stenoread with the /opt/rocknsm/rock/playbooks/files/stenoread file. I manually replaced it, updated it, installed Wireshark, and everything was working. Below is the list of commands to run to patch your current system:

sed -i 's/STENOGRAPHER_CONFIG=/export STENOGRAPHER_CONFIG=/g' /opt/rocknsm/rock/playbooks/files/stenoread cat /opt/rocknsm/rock/playbooks/files/stenoread > /usr/bin/stenoread systemctl restart stenographer systemctl status stenographer* yum install -y wireshark

After this point, stenoread will work on both interfaces. You can test that stenoread is reading from both by having unique traffic going to the interfaces being used, generating a pacp, and verifying the unique traffic from all of the interfaces shows up.

I already submitted a pull request to update the stenoread file. Not sure how the installer system works, but that needs to be updated for adding wireshark and copying over the configuration file

kwilson7770 avatar Jun 18 '17 14:06 kwilson7770

Hey @kwilson7770, I really appreciate the hard work you've put in. We'll get these patches worked in the upcoming release. Let us know if you have more issues that we can help with.

If you'd like some interactive discussion, you can join our Gitter room

dcode avatar Jun 18 '17 14:06 dcode