Frequently Asked Questions Network Flight Recorder® Version 2.0 for UNIX Last Updated: 06 October 1998 03:08:19 PM Eastern Daylight Time ------------------------------------------------------------------------ This document lists some frequently asked questions about Network Flight Recorder® (NFR). We received many of the questions on the NFR Users mailing list. -------------------------------------- Table of Contents General Questions * Testing NFR * Trouble downloading NFR with Internet Explorer 4.01 Building NFR * Error: va_start: argument mismatch * Error: Don't know how to select include file for XXXXXXX * Support for newer libpcap * Support for newer regex * Using Solaris 2.6 * Using Java 1.0 or 1.1 * Webd * Using another Web server with NFR Running NFR * Error: Device not configured * Missing Start Button * Packages screen is empty * Buttons do not appear to be working * No data in backends * Queries stop responding * BSD/OS 3.0 seems to lock up * Linux seems unable to keep up with my network * Stealth mode * Using NFR in a switched environment -------------------------------------- Testing NFR Question: Can the organization I work for test the NFR? We are a consulting firm that sells nothing but our time. (i.e. no products, hardware or software, home-grown or any sort of VAR.) What we do is say to a customer you need A, B, C. Go buy them and we'll install and configure it for you. Obviously if we test and like the NFR we'll tell our customers to buy lots of them. Answer: You certainly are welcome to test the NFR code -- anyone (even our competitors) is! :) Consultants and/or consulting organizations installing and configuring NFR for a customer is commercial use under our license. The relevant section reads: "The use of the NFR Software is limited to your internal, non-commercial use only. The use, compilation, installation, modification, maintenance or operation must be performed by employees of your organization. If you require assistance from outside your organization, the NFR Software and source code are considered "commercial" and subject to license fees contained in a separate NFR Reseller Agreement." Installing NFR at a consulting customer's network isn't "internal" or "non-commercial" use and the licensing terms are written to apply to the end user. So, if your customer hired you to install NFR for them it would be commercial use under the "If you require assistance from outside..." clause. NFR is a valuable piece of software, and we reserve the right to make money off it to ourselves and our authorized resellers. If you're interested in selling NFR-related services to your customers, then you can become a reseller and we'll support you, train you, listen to you, and help you make money selling NFR. In that case, we get a license fee for each copy you sell. For more information on becoming a reseller, contact Barnaby Page (bmp@nfr.net) So test away! That doesn't cost you anything. Your customers can test it, too, and play with it, but if they deploy it commercially, or hire you to deploy it/support it for them, then they'd need to use a licensed copy. Table of Contents -------------------------------------- Trouble downloading NFR with Internet Explorer 4.01 Question: I am having trouble downloading the latest version of NFR using Microsoft Internet Explorer 4.01. Answer: We seemed to have tickled an Internet Explorer 4.01 bug. We tried downloading the file nfr-1.6.2-src.tar.Z with Internet Explorer 4.0 and had no problems. We then upgraded to Internet Explorer 4.01 and tried to download the same file. It failed just as you described. It does not fail with any other Web browser that we've tested here. The problem appears to be the Microsoft interpretation of the .Z extension. When the file nfr-1.6.2-src.tar.Z was simply renamed, the file downloaded successfully. We have added the ability to retrieve the file with IE4.01 by simply using a symbolic link to the original .Z file. Table of Contents -------------------------------------- Error: va_start: argument mismatch Question: Using Sun's commercial compiler, SunProC, on my Solaris machine I'm getting strange warnings saying: va_start: argument mismatch Are these errors? Answer: Check your PATH. You probably have /usr/ucb/cc listed in your PATH before the path to the actual SunProC compiler (usually /opt/SUNWspro/bin) before /usr/ucb/cc. The latter file is only a shell script that checks for the presence of the commercial compiler from Sun and displays a message if it does not find it. To correct the problem, put /opt/SUNWspro/bin in your PATH before /usr/ucb. Table of Contents -------------------------------------- Error: Don't know how to select include file for XXXXXXX Question: I tried to build NFR and got the following error message: Don't know how to select include file for XXXXXXX Answer: An NFR build script, bin/select_sys, uses results from uname to choose some system dependent files for the compilation. If your system is not recognized, you can add a case in select_sys. If you use an existing system type, please send us the results of 'uname -s' and 'uname -r'. If you have to write a new configuration, please tell us about it. Table of Contents -------------------------------------- Support for newer libpcap Question: The bundled version of libpcap is 0.3.1a2. I've already built and installed 0.4a2 (don't you love these alpha versions :). NFR doesn't appear to even attempt to look for an already installed version. Is it safe to use 0.4a2 instead of 0.3a1? There have been some BPF bugs fixed more recently than 0.3.1a2, that's for sure, maybe even the one that a patch is supplied for? Will there be any effort to stay up to date with this? Answer: We compiled NFR with 0.4a2 recently, but have not integrated all of our changes to the library. We can't tell you for sure whether it works or not. The particularly risky part is that we did have packet loss problems with the unmodified libpcap. We made changes relating to buffer size in the pcap library, and changes relating to buffer size and correct function in BPF. In fact, we found a number of cases that just plain don't work in BPF. Probably nobody ever tried to use them. The old BPF just plain doesn't work. For example, nfrd uses select, which tickles a long-dormant bug in the old BPF and results in 50-75% packet loss. We don't know yet if the new one works at all. Because we don't know if it works, we can't recommend using it. If you want to experiment, go right ahead. Table of Contents -------------------------------------- Support for newer regex Question: Will you be keeping up with all the latest changes to libpcap and regex? Answer: We included these two libraries with our distribution for two reasons: * It is always a nuisance to download some cool new program, then have to go hunting for all the libraries that it depends on. * These versions of the libraries are known to work with NFR. We do not know if other versions work because we have not tested them. We are aware that other versions might work, but if you try one and have problems, please be open to the possibility that your choice of libraries may have contributed. We are not of the upgrade-of-the-day school, so we will not place top priority on integrating and testing new versions of these support libraries. The old library works. Would you have us write a cool new feature for NFR, or would you rather us spend our time integrating a later version of the library that does the same thing as the old one? Table of Contents -------------------------------------- Using Solaris 2.6 Question: I'm running Solaris 2.6 and when I try and compile it it says it doesn't know how to include Solaris 2.6 files. I know you support Solaris 2.5. Can I install it on 2.6 or do I have to wait for the next product release? Answer: We have not had a chance to fully test NFR on Solaris 2.6. We suspect that it will compile fine but... If you want to try: * Edit the file nfr/bin/select_sys and change the following lines SunOS5.[45]*) type=solaris to SunOS5.[456]*) type=solaris * Run bin/fixmake and follow the documentation as if you are installing on Solaris 2.5. Table of Contents -------------------------------------- Using Java 1.0 or 1.1 Question: Currently you are using Java 1.0 to build NFR. Are there plans for upgrading the GUI to Java 1.1? Answer: When we began this project, Java 1.1 was not an option. It seems likely that we will change over to a later Java version, but we do not know exactly when. With the speed that Sun is announcing new Java versions, it is hard to tell for sure that we will support Java 1.1. We may well skip Java 1.1 and go directly to 1.2 or 1.3. :) Sun claims that the Java 1.1 compiler can compile Java 1.0 code. They even state that the resulting code should work in a Java 1.0 virtual machine. They make no guarantees, which is good because it doesn't always work. As a result, we can't change over to a later Java version until the vast majority of users have browsers that support that Java version. In that respect, it is a little early for us to write in Java 1.1 because anybody using Netscape Navigator Version 3 or Microsoft Internet Explorer Version 3 would be unable to run the user interface. Table of Contents -------------------------------------- webd Question: It appears that there is a Web server included with NFR 2.0. What is this used for and why should I use it? Answer: A minimal Web server, webd, is included with NFR. In previous versions of NFR, a large majority of the problems people had setting up NFR had nothing to do with NFR itself. They had problems configuring the Web server so that the they could use the NFR GUI. The list of Web servers, versions, and operating systems is quite large, and changing rapidly. Rather than selecting one or two Web servers to support, NFR developed a minimal Web server tailored for our needs. The install process automatically installs and configures the Web server, allowing the user to start using NFR much more quickly. The NFR Web server is included for use with NFR. It is not intended to be used as a general purpose Web server for your site. Use it on other configurations at your own risk. Table of Contents -------------------------------------- Using another Web server with NFR Question: Do I have to use webd or can I use a Web server that I already have? Answer: We recommend you use the NFR Web server, webd. It serves all of the needs of the NFR GUI, and you don't have to go through the trouble of installing a different Web server. That said, you can use the NFR GUI with another Web server. NFR does not support these configurations. You will need to make changes to NFR configuration files. Table of Contents -------------------------------------- Error: Device not configured Symptom: The Alerts window in the GUI shows a warning message that looks like: "can't pcap open interface:"ef0" Error: ef0: Device not configured." Problem: The NFR engine is most likely looking at the wrong network interface. Solution: When the NFR engine, nfrd, starts, it reads a configuration file (install/etc/nfrd.cfg). You must specify the name of the network interface you want NFR to listen on by setting the value of the nfr_intf variable. The value associated with nfr_intf is a space separated list of interface names. This alert can be generated if you didn't edit the nfr_intf variable, which lists many interfaces for many systems by default. It will work for each of those interfaces that is actually present on your system and give errors for the rest. Refer to the Getting Started Guide for more instructions on setting this variable. Table of Contents -------------------------------------- Missing Start Button Symptom: I'm using a Java-enabled browser, I've loaded the black NFR page but I can't seem to find the Start button that everyone keeps referring to. Problem: Your browser seems to be having some problems executing Java applets. Solution: Solution 1 Unset the $CLASSPATH environment variable. Some JVMs (like Kaffe) require that $CLASSPATH be set to the directory where their libraries are stored. You may have left $CLASSPATH set after using a JVM and then started Netscape. Netscape will use the information in the $CLASSPATH environment variable to locate its Java libraries, finding the libraries of the last used JVM instead. Solution 2 Certain versions of Netscape just don't execute Java code on certain X displays. We haven't been able to reliably nail down the circumstances. If you are using Netscape, you might try a different display or a different version of Netscape. Table of Contents -------------------------------------- Packages screen is empty Symptoms: The Packages screen is empty. Problem: You can not execute any of the NFR cgi support programs. Solution: If you are using a Web server other than the one included with NFR, Webd, and you want to use that server's .htaccess authentication method, make sure that both install/etc/httpd/cgi-bin/.htaccess and install/etc/httpd/htdocs/ exist and are the same. If you make changes to either file, you will have to restart your browser for the NFR client to function properly. Table of Contents -------------------------------------- Buttons do not appear to be working Symptoms: * The Packages screen is not empty but the Query and Configure buttons do not appear to work. * The Configure button on the configure screen doesn't appear to work. * The Reload button on the Alert screen doesn't appear to work. * The Exit button does not close the NFR applet. Problem: The NFR client applet is not communicating with the Web server. If you are looking at the applet, then the browser was at one time communicating with the Web server. Perhaps the Web server has crashed, or there is some other type of network connectivity problem. Solution: Check to see if the Web server is up and running. If it is not, restart it. You will need to restart your browser and reload the NFR client applet. Table of Contents -------------------------------------- No data in the backends Symptom: All of the GUI components appear to work but I'm not getting any data into the backends. Problem: The NFR engine (nfrd) may not be running or not responding. Solution: Check to make sure that the NFR engine is up and running. If it is not running restart it. You can query the engine directly, using the control program. A properly running NFR sequence looks like the following: % cd $NFRHOME % bin/control % stats intf intf: ef0: ps_recv 1212 intf: ef0: ps_drop 0 intf: ef0: ps_ifDrop 0 intf: ef0: packets 621 intf: ef0: bytes 63987 intf: Arriv [10/08/97 00:16:54] secTotal 157.956 secTotal/cnt 0.254358 stdDev 0.60665 intf: totalPackets 621 1 done stats [11/21/97 16:16:48] ^C Table of Contents -------------------------------------- Queries stop responding Symptom: I know data is making it into the backends but none of the queries respond with a browser full of information. They appear to do nothing. Problem: Problem 1 If your browser is pointed at a page other than the main NFR page, the query's no longer function properly. Problem 2 There is a bug in certain versions of Netscape Navigator. Solution: Solution 1 Keep your browser on the black (main) NFR page while using the NFR GUI. As long as the Start button stays in the upper left frame, everything works correctly. You can browse the NFR documentation or select any of the links in the left frame. Some of the newer versions of Netscape Navigator do not appear to have this problem. We still recommend leaving your browser on the main NFR page while using NFR. Solution 2 Open the Java console in your browser. If you see the message "Finished Executing showDocument" it means the query has been successfully processed. If no window appeared, you have found the Navigator bug. Quit and restart your browser. Table of Contents -------------------------------------- BSD/OS 3.0 systems seem to lock up Symptom: Every time I start NFR and work with it for a while, the operating system locks up or crashes. Problem: This behavior has been observed on some BSD/OS 3.0 systems that don't have the most recent patches installed. Solution: Install the following patches from BSDI: * K300-001 * M300-002 * M300-010 * M300-013 * M300-015 * M300-016 * M300-021 * M300-022 * M300-023 * M300-027 Table of Contents -------------------------------------- Linux seems unable to keep up with my network Symptom: My Linux box seems to be having trouble keeping up with the traffic on my network. I have tried the BSD/OS, Solaris, and FreeBSD versions and they have no problems keeping up. Problem: We too have seen this problem. We noticed extremely high packet loss on a P90 running Linux while comparing it to no packet loss on a P75 running BSD/OS on the same network at the same time. The difference in performance is a result of the use of a different mechanism to get packets off the wire. The System Notes explains more about the different mechanisms for each operating system. In summary, the mechanism used on Linux does not appear to have been designed with performance in mind. Solution: Use a different operating system for running NFR. Table of Contents -------------------------------------- Stealth mode Question: The LISA paper mentions some stealth mode kernel hacks that were implemented. What is this feature for? Answer: Stealth mode means that the machine is ordinarily undetectable on the network. That is to say, it does not initiate or respond to communication. It has two major advantages: * Your NFR host is not readily detectable by a potential attacker. Neither other sniffers nor active probing will detect it, so the presence of your NFR may be unknown. * It is highly secure from attack across the network, since you can't actually talk to it. Stealth mode is really a matter of NOT transmitting packets on the network. Kernel hacks are only needed for your system if it needs special help with it. In the case of BSD/OS, you can simply refrain from assigning and IP address to the interface and it just won't talk. For example, # ifconfig ef0 up This probably wasn't something the system designers intended to do. For example, you can bring up an interface with no IP address, but many systems do not have a way to remove the IP address once it has already been assigned. Look for ifconfig delete to see if you have one. All you really need to do is change your boot scripts so you don't assign an IP address to the interface you are listening on. We have not tried it on HP-UX or Solaris. We are always ready for surprises when STREAMS is involved, but there is no obvious reason why it wouldn't work the same. Note that this only applies to the interface you are sniffing. Your NFR can be remotely managed and in stealth mode if you have multiple interfaces. For example: network A ---+---------------+----- | | <- interface in stealth mode firewall NFR | | network B ---+-------+-------+----- | management station As far as hosts on network A are concerned, the NFR does not exist because they cannot see it. Hosts on network B can run the NFR user interface to gather information about network A. Table of Contents -------------------------------------- Using NFR in a switched environment Question: We recently switched over our previous hubbed LAN environment to a switched topology. We would very much like to continue to use NFR in the new LAN environment. How might that be possible? Answer: You should be able to set your switch up so that certain ports can see all or certain ports traffic. CISCO switches are able to do it very nicely (check under SPAN config). Most switches, especially those from major vendors, have this option. The most important part of any application is this: What do you want to do? There are a lot of things you can do with an NFR. Some are easier to do in a switched environment than others. For example: Our experience is that you typically do not have have a balanced traffic load from every node to every other node. That is, an origin-destination study of your network would show that the overwhelming majority of your traffic goes to a few machines that you might call "servers" and/or "routers". That is, if you have N nodes, but only S servers and R routers, the number of interesting traffic flows is N * ( S + R ). It is generally NOT N * N. The interesting machines are the S + R servers and routers. Now lets say you have 2 servers and 1 router. This is a practical configuration in a UNIX server / Windows client environment of 100 machines or so. You would want to place each server on its own branch of the switch. If you have a lot of external traffic, you might also place the router on the third branch. ( I am assuming, of course, but you bought a switch for a reason, right? ) In this case, you can effectively monitor most "interesting" events by placing 3 Ethernet cards in your NFR and having it listen to the branch each server is on and the branch the router is on. You will see duplicate packets for traffic among those three, but you expect that, so it is not a problem. We are assuming that the rest of the machines don't have anything much interesting to say to each other. This is frequently true. A desktop Windows machine usually has nothing[1] to say to another desktop Windows machine. Even desktop UNIX machines don't have much to say to each other in many environments. If your network resembles what we are describing here, you can quite effectively use your NFR for monitoring. You might have one of those rare networks where every node talks to every other node. In this case, you can effectively monitor it by treating each branch of the switch as a separate network. If you don't want to have that many NFRs, you can combine two or more branches and monitor them from a single NFR. [1] When we say PCs usually say nothing to each other, we really mean "nothing interesting", of course. A cluster of Windows 95 machines with "Microsoft Networking" installed is practically a broadcast storm all by itself. Every machine is always saying "I'm here! I'm here!" and every time you boot a Windows box, it calls for an election to choose a browse master. The election involves every machine on the network broadcasting a vote. Still, if you have it set up right, the server always wins and becomes the browse master, so it isn't really that interesting. If you are looking for desktop machines that are offering file or print service, you can find that by listening anywhere, since they broadcast that information. Table of Contents ------------------------------------------------------------------------ Network Flight Recorder is a registered trademark and NFR and the striped NFR logo are trademarks of Network Flight Recorder, Inc. Other products, services, and company names mentioned herein may be trademarks of their respective owners. Copyright © 1998 Network Flight Recorder, Inc.