Thanks for explaining how the different tools are used at different layers of TCP/IP stack to debug the packet trace. <br><br><br><div class="gmail_quote">On Wed, Nov 17, 2010 at 7:02 PM, Matthew Hall <span dir="ltr"><<a href="mailto:mhall@mhcomputing.net">mhall@mhcomputing.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">There is a very simple reason for this problem.<br>
<br>
AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at<br>
L2. This way you can see non-IP traffic, loopback traffic, and other<br>
special stuff you would need.<br>
<br>
But iptables processes packets at L3. Thus none of these packet dump<br>
tools prove the datagrams are really received at L4 or L7. For this you<br>
need an L3 / L4 / L7 tool like hping* or a version of netcat.<br>
<br>
In general, think carefully about how the stack works when you are<br>
trying to find missing packets.<br>
<br>
Good Luck,<br>
Matthew.<br>
<div class="im"><br>
On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:<br>
> That's it. It is iptables. The moment I stopped iptables I see the syslog<br>
> messages written to the file. Now I can work on seggregating them based on<br>
> host IP the messages are coming from.<br>
><br>
> Thanks all for you help with this.<br>
><br>
><br>
><br>
> On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <<a href="mailto:syslogng@feystorm.net">syslogng@feystorm.net</a>> wrote:<br>
><br>
> > do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat`<br>
> > `iptables -nvL -t mangle`<br>
> > About the only thing I can think of off the top of my head. There might be<br>
> > some sysctl option to disable UDP, but I dont know it if it does exist.<br>
> ><br>
> > Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)<br>
> ><br>
</div>> > From: keshava V <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>> <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>><br>
<div class="im">> > To: Syslog-ng users' and developers' mailing list<br>
</div>> > <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
<div class="im">> > Subject: Re: [syslog-ng] Syslog-ng not receiving messages<br>
> ><br>
> > Looks like it is getting blocked somewhere as you thought. How come tcpdump<br>
> > output is seeing all the udp syslog-ng messages?<br>
> ><br>
> > [root@aspsyslog ~]# /etc/init.d/syslog-ng start<br>
> > Starting syslog-ng: [ OK ]<br>
> > [root@aspsyslog ~]# /etc/init.d/syslog-ng stop<br>
> > Stopping syslog-ng: [ OK ]<br>
> > [root@aspsyslog ~]# nc -u -l 514<br>
> ><br>
> > getting nothing...!<br>
> ><br>
> ><br>
> ><br>
> > On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <<a href="mailto:syslogng@feystorm.net">syslogng@feystorm.net</a>> wrote:<br>
> ><br>
> >> Ok, lets see if the problem is before it gets to syslog-ng or after. Shut<br>
> >> syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll<br>
> >> dump out all traffic received. If it gets it, the problem is syslog-ng, if<br>
> >> it doesnt get it the traffic is getting blocked somehow.<br>
> >><br>
> >> Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)<br>
> >><br>
</div>> >> From: keshava V <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>> <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>><br>
<div class="im">> >> To: Syslog-ng users' and developers' mailing list<br>
</div>> >> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
<div class="im">> >> Subject: Re: [syslog-ng] Syslog-ng not receiving messages<br>
> >><br>
> >> syslog-ng is using 514 as expected.<br>
> >><br>
> >> [root@aspsyslog ~]# netstat -upnl | grep ":514"<br>
> >> udp 0 0 <a href="http://0.0.0.0:514" target="_blank">0.0.0.0:514</a> 0.0.0.0:*<br>
> >> 8789/syslog-ng<br>
> >><br>
> >> Thanks<br>
> >><br>
> >><br>
> >> On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <<a href="mailto:syslogng@feystorm.net">syslogng@feystorm.net</a>>wrote:<br>
> >><br>
> >>> There isnt something already listening on udp 514 is there?<br>
> >>> netstat -upnl | grep ":514"<br>
> >>><br>
> >>> Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time)<br>
</div>> >>> From: keshava V <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>> <<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>><br>
<div class="im">> >>> To: Syslog-ng users' and developers' mailing list<br>
</div>> >>> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
<div><div></div><div class="h5">> >>> Subject: Re: [syslog-ng] Syslog-ng not receiving messages<br>
> >>><br>
> >>> Further,<br>
> >>><br>
> >>> I have tried setting the kernel parameters without any luck<br>
> >>><br>
> >>> [root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608<br>
> >>> [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576<br>
> >>><br>
> >>> [SNIP]<br>
> >>><br>
> >>><br>
> >>> ______________________________________________________________________________<br>
> >>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >>> Documentation:<br>
> >>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >>> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >>><br>
> >>><br>
> >>><br>
> >> ------------------------------<br>
> >><br>
> >> ______________________________________________________________________________<br>
> >> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >><br>
> >><br>
> >><br>
> >> ______________________________________________________________________________<br>
> >> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> Documentation:<br>
> >> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> >><br>
> >><br>
> >><br>
> > ------------------------------<br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> ><br>
> ><br>
> ><br>
> > ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation:<br>
> > <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
> ><br>
> ><br>
> ><br>
<br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br>