[netsa-tools-discuss] rwflowpack won't start

Mark Thomas mthomas at cert.org
Fri Nov 30 10:39:53 EST 2018


Steven-

Short answer:

There is a version mismatch between SiLK and libfixbuf.  Recompiling
and reinstalling SiLK should fix the issue.

Long answer:

It appears that your SiLK installation is finding a different
version of the libfixbuf library than the one it found when the
source code was compiled.  When SiLK was compiled, it found a 1.x
version of libfixbuf that includes the function named
fbSessionAddTemplateCtxCallback2.  When you attempt to start
rwflowpack now, it is finding a 2.x version of libfixbuf that does
not have that function.

SiLK may be compiled against either version of libfixbuf, but the
version of libfixbuf should not be changed once SiLK has been
compiled.

If you have multiple versions of libfixbuf on your system, it could
be that SiLK finds one the 1.x one when it is compiled and the 2.x
one when it is invoked.

I hope that helps you resolve the issue.  Please followup if you
have additional questions or problems.

-Mark


-----Original Message-----
From: Steven Duffield <s.duffield at ed.ac.uk>
Date: Fri, 30 Nov 2018 09:16:49 +0000
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] rwflowpack won't start

Hi,

I had a server reboot on me unexpectedly and when it came back 
rwflowpack failed to start. I've tried "service rwflowpack start" a few 
times but it still fails to restart. It's a centos7 system but journald 
and syslog don't give much away (at least to my untrained eye) even with 
LOG_LEVEL=debug. Seems to fail at the same place each time...

Nov 29 19:02:27 flowm systemd: Starting LSB: start and stop SiLK 
rwflowpack daemon...
Nov 29 19:02:27 flowm rwflowpack[16198]: Started logging at 2018-11-29 
19:02:27Z
Nov 29 19:02:27 flowm rwflowpack[16198]: '/usr/sbin/rwflowpack' 
'--sensor-configuration=/etc/silk/sensor.conf' 
'--compression-method=best' '--site-config-file=/etc/silk/silk.conf' 
'--output-mode=sending' 
'--sender-directory=/data/silk-processing/packer_dest' 
'--incremental-directory=/data/silk-processing/packer_work' 
'--pidfile=/var/lib/rwflowpack/log/rwflowpack.pid' '--log-level=debug' 
'--log-destination=syslog'
Nov 29 19:02:27 flom rwflowpack[16198]: Forked child 16200.  Parent exiting
Nov 29 19:02:27 flowm rwflowpack[16200]: Using packing logic from 
/usr/lib64/silk/packlogic-twoway.so
Nov 29 19:02:27 flowm rwflowpack[16200]: Creating stream cache
Nov 29 19:02:27 flowm rwflowpack[16200]: Checking incremental directory 
for old files...
Nov 29 19:02:27 flowm rwflowpack[16200]: No incremental files to move.
Nov 29 19:02:27 flowm rwflowpack[16200]: Creating NetFlowV9 Reader for 
probe 'sensor1' on 6000
Nov 29 19:02:28 flowm rwflowpack: Starting rwflowpack:#011[Failed]
Nov 29 19:02:28 flowm systemd: rwflowpack.service: control process 
exited, code=exited status=1
Nov 29 19:02:28 flowm systemd: Failed to start LSB: start and stop SiLK 
rwflowpack daemon.
Nov 29 19:02:28 flowm systemd: Unit rwflowpack.service entered failed state.
Nov 29 19:02:28 flowm systemd: rwflowpack.service failed.

If I remove sensor1 from sensor.conf it fails at sensor2.

I tried starting it from the commandline as a quick check and got this...

/usr/sbin/rwflowpack --sensor-configuration=/etc/silk/sensor.conf 
--compression-method=zlib --site-config-file=/etc/silk/silk.conf 
--input-mode=stream --output-mode=incremental-files 
--root-directory=/data/FLOWS 
--pidfile=/var/lib/rwflowpack/log/rwflowpack.pid --log-level=debug 
--log-destination=syslog 
--incremental-directory=/data/silk-processing/packer_dest --no-daemon


/usr/sbin/rwflowpack: symbol lookup error: /lib64/libflowsource.so.17: 
undefined symbol: fbSessionAddTemplateCtxCallback2


Any pointers on where to look or what to try next would be most appreciated.

Thanks,

Steven.


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


More information about the netsa-tools-discuss mailing list