Search code examples
linuxpcapnetflowyafsilk

YAF terminating on error (couldn't create connected TCP socket)


I've installed and configured YAF (v. 2.8.4) + SiLK(v. 3.12.1) on Debian 8.2, and I faced with 2 problems:
1st. Every time I start yaf, as long as a TCP connection established, yaf process terminated with this error:

[2016-05-25 08:13:36] yaf terminating on error: couldn't create connected TCP socket to 127.0.0.1:18000 Connection refused

2nd. Also when yaf is running (there is not any TCP connection on eth0), out put of rwfilter --proto=0- --type=all --pass=stdout | rwcut | head command is empty.

I have some flow information for two days ago in /data/ directory, and I'm able to filter them by

rwfilter --start-date=2016/05/22 --end-date=2017/05/23            --proto=0- --type=all --pass=stdout        | rwstats --fields=protocol --bottom --count=10

That's show that yaf and SiLK worked correctly on 23th May. (BUT for some minuets!!!). Unfortunately I only have today's logs and logs for 23th truncated.


Configs and Logs:

ps ax |grep "yaf\|rwflowpack":

 58984 ?        Ssl    0:00 /usr/local/sbin/rwflowpack --sensor-configuration=/data/sensor.conf --site-config-file=/ata/silk.conf --archive-directory=/var/lib/rwflowpack/archive --output-mode=local-storage --root-directory=/data --pidfile=/var/lib/rwflowpack/log/rwflowpack.pid --log-level=info --log-destination=syslog

 84140 ?        Ss     0:00 /usr/local/bin/yaf -d --live pcap --in eth0 --ipfix tcp --out localhost --ipfix-port 18000 --log /var/log/yaf/log/yaf.log --verbose --silk --applabel --max-payload=2048 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la --pidfile /var/log/yaf/run/yaf.pid

iptables rules:

ACCEPT     udp  --  anywhere             anywhere             udp spt:18000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:18000
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:18000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:18000

yaf.log:

[2016-05-25 08:48:02] yaf starting
[2016-05-25 08:48:02] Initializing Rules From File: /usr/local/etc/yafApplabelRules.conf
[2016-05-25 08:48:02] Application Labeler accepted 44 rules.
[2016-05-25 08:48:02] Application Labeler accepted 0 signatures.
[2016-05-25 08:48:02] DPI Running for ALL Protocols
[2016-05-25 08:48:02] Initializing Rules from DPI File /usr/local/etc/yafDPIRules.conf
[2016-05-25 08:48:02] DPI rule scanner accepted 63 rules from the DPI Rule File
[2016-05-25 08:48:02] DPI regular expressions cover 7 protocols
[2016-05-25 08:48:02] Forked child 82020.  Parent exiting
[2016-05-25 08:48:02] running as root in --live mode, but not dropping privilege
[2016-05-25 08:50:48] Processed 814 packets into 0 flows:
[2016-05-25 08:50:48]   Mean flow rate 0.00/s.
[2016-05-25 08:50:48]   Mean packet rate 4.90/s.
[2016-05-25 08:50:48]   Virtual bandwidth 0.0032 Mbps.
[2016-05-25 08:50:48]   Maximum flow table size 36.
[2016-05-25 08:50:48]   29 flush events.
[2016-05-25 08:50:48]   0 asymmetric/unidirectional flows detected (-nan%)
[2016-05-25 08:50:48] YAF read 1643 total packets
[2016-05-25 08:50:48] Assembled 0 fragments into 0 packets:
[2016-05-25 08:50:48]   Expired 0 incomplete fragmented packets. (0.00%)
[2016-05-25 08:50:48]   Maximum fragment table size 0.
[2016-05-25 08:50:48] Rejected 829 packets during decode: (33.54%)
[2016-05-25 08:50:48]   829 due to unsupported/rejected packet type: (33.54%)
[2016-05-25 08:50:48]     829 unsupported/rejected Layer 3 headers. (33.54%)
[2016-05-25 08:50:48]     729 ARP packets. (29.49%)
[2016-05-25 08:50:48]     83 802.3 packets. (3.36%)
[2016-05-25 08:50:48] yaf terminating on error: couldn't create connected TCP socket to localhost:18000 Connection refused

rwflowpack logs:

May 25 13:17:54 XXX rwflowpack[58984]: 'S0': forward 0, reverse 0, ignored 0
May 25 13:19:54 XXX rwflowpack[58984]: Flushing files after 120 seconds.
May 25 13:19:54 XXX rwflowpack[58984]: 'S0': forward 0, reverse 0, ignored 0
May 25 13:21:54 XXX rwflowpack[58984]: Flushing files after 120 seconds.
May 25 13:21:54 XXX rwflowpack[58984]: 'S0': forward 0, reverse 0, ignored 0

usr/local/etc/yaf.conf:

ENABLED=1

YAF_CAP_TYPE=pcap

YAF_CAP_IF=eth0

YAF_IPFIX_PROTO=tcp

YAF_IPFIX_HOST=localhost

YAF_IPFIX_PORT=18000

YAF_STATEDIR=/var/log/yaf

YAF_EXTRAFLAGS="--silk --applabel --max-payload=2048 --plugin-name=/usr/local/lib/yaf/dpacketplugin.la"

/data/silk.conf:

version 2

sensor 0 S0    "Description for sensor S0"
sensor 1 S1
sensor 2 S2    "Optional description for sensor S2"
sensor 3 S3
sensor 4 S4
sensor 5 S5
sensor 6 S6
sensor 7 S7
sensor 8 S8
sensor 9 S9
sensor 10 S10
sensor 11 S11
sensor 12 S12
sensor 13 S13
sensor 14 S14

class all
    sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
end class

class all
    type  0 in      in
    type  1 out     out
    type  2 inweb   iw
    type  3 outweb  ow
    type  4 innull  innull
    type  5 outnull outnull
    type  6 int2int int2int
    type  7 ext2ext ext2ext
    type  8 inicmp  inicmp
    type  9 outicmp outicmp
    type 10 other   other

    default-types in inweb inicmp
end class

default-class all

packing-logic "packlogic-twoway.so"

/data/sensor.conf:

probe S0 ipfix
   listen-on-port 18001
   protocol tcp
end probe

sensor S0
   ipfix-probes S0
   internal-ipblocks 192.168.1.0/24 10.10.10.0/24
   external-ipblocks remainder
end sensor

/usr/local/etc/rwflowpack.conf:

ENABLED=1
statedirectory=/var/lib/rwflowpack
CREATE_DIRECTORIES=yes
BIN_DIR=/usr/local/sbin
SENSOR_CONFIG=/data/sensor.conf
DATA_ROOTDIR=/data
SITE_CONFIG=/data/silk.conf
PACKING_LOGIC=
INPUT_MODE=stream
INCOMING_DIR=${statedirectory}/incoming
ARCHIVE_DIR=${statedirectory}/archive
FLAT_ARCHIVE=0
ERROR_DIR=  
OUTPUT_MODE=local
SENDER_DIR=${statedirectory}/sender-incoming
INCREMENTAL_DIR=${statedirectory}/sender-incoming
COMPRESSION_TYPE=
POLLING_INTERVAL=
FLUSH_TIMEOUT=
FILE_CACHE_SIZE=
FILE_LOCKING=1
PACK_INTERFACES=0
SILK_IPFIX_PRINT_TEMPLATES=
LOG_TYPE=syslog
LOG_LEVEL=info
LOG_DIR=${statedirectory}/log
PID_DIR=${LOG_DIR}
USER=root
EXTRA_OPTIONS=
EXTRA_ENVVAR=

yaf --version:

yaf version 2.8.4  Build Configuration:
    * Timezone support:                 UTC
    * Fixbuf version:                   1.7.1
    * DAG support:                      NO
    * Napatech support:                 NO
    * Netronome support:                NO
    * Bivio support:                    NO
    * PFRING support:                   NO
    * Compact IPv4 support:             NO
    * Plugin support:                   YES
    * Application Labeling:             YES
    * Payload Processing Support:       YES
    * Entropy support:                  NO
    * Fingerprint Export Support:       NO
    * P0F Support:                      NO
    * Spread Support:                   NO
    * MPLS Support:                     NO
    * Non-IP Support:                   NO
    * Separate Interface Support:       NO

SiLK version:

SiLK 3.12.1; configuration settings:
    * Root of packed data tree:         /data
    * Packing logic:                    Run-time plug-in
    * Timezone support:                 UTC
    * Available compression methods:    none [default], zlib
    * IPv6 network connections:         yes
    * IPv6 flow record support:         yes
    * IPFIX/NetFlow9/sFlow collection:  ipfix,netflow9,sflow
    * Transport encryption:             no
    * PySiLK support:                   no
    * Enable assert():                  no

Solution

  • I'm new in YAF and SiLK.

    I used bellow link for building and configuring YAF+SiLk
    https://tools.netsa.cert.org/yaf/libyaf/yaf_silk.html
    Thus all parameters derived from that tutorial.

    YAF take a port in YAF_IPFIX_PORT to connect to the IPFIX collector on the specified port. So, YAF does not open any port with that number and does not listening to that port :|

    So I changed the value ofYAF_IPFIX_PORT= in yaf.conf, from 18000 to 18001 (the port which is defined for listen-on-port in sensor.conf)

    Now It's working and I'm able to filter traffics.