[dsc] qtype dataset is empty

Andrew Ruthven andrew.ruthven at catalyst.net.nz
Tue May 19 21:04:17 UTC 2009 

Hi Duane,

On Tue, 2009-05-19 at 10:57 -0600, Duane Wessels wrote:
> 
> 
> On Tue, 19 May 2009, Andrew Ruthven wrote:
> 
> > Hi,
> >
> > I've just upgraded the collector on one of my monitoring servers to
> > 200901261740 and now all the qtype datasets are empty.  All the other
> > datasets appear to be collecting the correct data.
> 
> First step is to figure out if the problem is with the collector or
> with the presenter.
> 
> Can you look on the presenter and see if the qtype data files are empty or not?
> ie,
> 
> $ less /usr/local/dsc/data/$SERVER/$NODE/20090519/qtype.dat

Sure.  They contain only timestamps:

...
1242765540
1242765600
1242765660
1242765720
1242765780
1242765840
#MD5 b819dff5df98dc6f500ac911d54a4dec

And the XML file from the collector has:

...
<array name="qtype" dimensions="2" start_time="1242766800"
stop_time="1242766860">
  <dimension number="1" type="All"/>
  <dimension number="2" type="Qtype"/>
  <data>
  </data>
</array>
...

I've attached the collector configuration to this email.  

What next?

Cheers!

-- 
Andrew Ruthven, Wellington, New Zealand
At work: andrew.ruthven at catalyst.net.nz
At home: andrew at etc.gen.nz
GPG fpr: 34CA 12A3 C6F8 B156 72C2  D0D7 D286 CE0C 0C62 B791
-------------- next part --------------

# local_address
#
#	specifies a local IPv4 address.  used to determine the
#	"direction" of an IP packet: sending or receiving or other
#
local_address 202.46.190.130;

# run_dir
#
#	dsc passes this directory to chdir() after starting.
#
run_dir "/var/spool/dsc/ns1";

# pid_file
#
#	filename where DSC should store its process-id
#
pid_file "/var/run/dsc-ns1.pid";

# bpf_program
#
#	a berkely packet filter program.  it can be used to limit
#	the number and type of queries that the application receives
#	from the kernel.  note if you limit it to "udp port 53" the
#	IP-based collectors do not work
#
#	NOTE: bpf_program must GO BEFORE interface
#
# use this to see only DNS messages
#bpf_program "udp port 53";
#bpf_program "udp port 53 or tcp port 53";
#bpf_program "(vlan or not vlan) and port 53 and host 202.46.190.130";
bpf_program "(src port 53 and src host 202.46.190.130 and not vlan) or (vlan 1 and dst port 53 and dst host 202.46.190.130)";
#
# use this to see only DNS *queries*
#bpf_program "udp dst port 53 and udp[10:2] & 0x8000 = 0";

# interface
#
# 	specifies a network interface to sniff packets from.
#	can specify more than one.
#
#interface eth0;
interface eth1;
#interface eth3;

# qname_filter
#
#	Defines a custom QNAME-based filter for DNS messages.  If
#	you refer to this named filter on a dataset line, then only
#	queries or replies for matching QNAMEs will be counted.
#	The QNAME argument is a regular expression.  For example:
#
#	qname_filter WWW-Only ^www\. ;
#	dataset qtype dns All:null Qtype:qtype queries-only,WWW-Only ;


#
# datasets
#
#	please see the DSC manual for more information.
dataset qtype dns All:null Qtype:qtype queries-only;
dataset rcode dns All:null Rcode:rcode replies-only;
dataset opcode dns All:null Opcode:opcode queries-only;
dataset rcode_vs_replylen dns Rcode:rcode ReplyLen:msglen replies-only;
dataset client_subnet dns All:null ClientSubnet:cip4_net queries-only max-cells=200;
dataset qtype_vs_qnamelen dns Qtype:qtype QnameLen:qnamelen queries-only;
dataset qtype_vs_tld dns Qtype:qtype TLD:tld queries-only,popular-qtypes max-cells=200;
dataset certain_qnames_vs_qtype dns CertainQnames:certain_qnames Qtype:qtype queries-only;
dataset client_subnet2 dns Class:query_classification ClientSubnet:cip4_net queries-only max-cells=200;
dataset client_addr_vs_rcode dns Rcode:rcode ClientAddr:client replies-only max-cells=50;
dataset chaos_types_and_names dns Qtype:qtype Qname:qname chaos-class,queries-only;
dataset idn_qname dns All:null IDNQname:idn_qname queries-only;
dataset edns_version dns All:null EDNSVersion:edns_version queries-only;
#dataset edns_bufsiz dns All:null EDNSBufSiz:edns_bufsiz queries-only;
dataset do_bit dns All:null D0:do_bit queries-only;
dataset rd_bit dns All:null RD:rd_bit queries-only;
dataset idn_vs_tld dns All:null TLD:tld queries-only,idn-only;
dataset ipv6_rsn_abusers dns All:null ClientAddr:client queries-only,aaaa-or-a6-only,root-servers-net-only max-cells=50;
#dataset transport_vs_qtype dns Transport:transport Qtype:qtype queries-only;

#dataset domain_vs_qtype dns Qtype:qtype Domain:domain queries-only max-components=2;
dataset client_port_range dns All:null PortRange:dns_sport_range queries-only;
dataset second_ld_vs_rcode dns Rcode:rcode SecondLD:second_ld replies-only max-cells=50;
dataset third_ld_vs_rcode dns Rcode:rcode ThirdLD:third_ld replies-only max-cells=50;


dataset direction_vs_ipproto ip Direction:ip_direction IPProto:ip_proto any;


# bpf_vlan_tag_byte_order
#
#	Set this to 'host' on FreeBSD-4 where the VLAN id that we
#	get from BPF appears to already be in host byte order.
#bpf_vlan_tag_byte_order host;

# match_vlan
#
#	A whitespace-separated list of VLAN IDs.  If set, only the
#	packets with these VLAN IDs will be analyzed by DSC.
#
#match_vlan 100 200;

More information about the dsc mailing list