Hi,
My time machine indexes aren’t working, and I suspect it is due to the 802.1q trunk that the traffic is encapsulated in. How are people dealing with trunk encapsulation? Are you stripping it off before it is fed to time machine?
Thanks,
Tyler
Hello Tyler,
While I have indexes disabled at the moment, this is how I have configured an instance of the tm.conf (may be you already have similar setup):
class "dns" {
filter "vlan and port 53";
...
..
..
..
}
Does this help ?
Aashish
Hi Aashish,
I just tried the BPF filter you suggested, but looks like indexes are still not working.
If I run the following, I will see traffic in one of the class_* (pcap formatted) files:
tcpdump -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198"
When I try to telnet 42042 and dump against the index for the same IP address, it results in an empty file. Example:
query to_file "128.138.44.198.pcap" index ip "128.138.44.198"
I can usually tell timemachine is done writing to the output file because it switches from 0 bytes to 24 bytes with 24 bytes indicating it didn't find anything.
On a side note, when I add the -e to tcpdump, I can see the class_* files contain the vlan tagging data.
I had a student test against time machine running in a VM, and indexing worked fine, but I think he as picking up non-trunked packets.
I suspect the vlan tagging is causing some problem with indexing. I guess I can just do what you are doing and skip using the indexes. Having Time Machine running without indexes is still better than not having it running.
Tyler
HI Tyler,
Can you please file a ticket about this:
https://bro-tracker.atlassian.net/browse/TM
Thanks,
Aashish