[SOLVED] [Linux] Network data is measured but not pulsed

Hi.

I am running Linux Mint 17 64-bit with WhatPulse 2.4.1. Upon updating to the new client, I noticed that network traffic was still being measured in the Network tab, but is not being added to the unpulsed statistics on the overview.

I have followed this guide and ensured that the setup-input-permissions.sh script was run, and that all of the required packages have been installed.

Upon running, I was prompted to run the setcap command, which I accepted and ran. I have additionally tried running the following commands numerous times in my troubleshooting:

sudo setcap cap_net_raw,cap_net_admin=eip ./whatpulse
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' ./whatpulse

The following is the startup console log:

04-12-2014 10:16:33.061  INFO "Starting WhatPulse 2.4.1..." 
04-12-2014 10:16:33.070  WARN "sni-qt/10748" WARN  10:16:33.070 void StatusNotifierItemFactory::connectToSnw() Invalid interface to SNW_SERVICE  
04-12-2014 10:16:33.070 DEBUG Database file:  "/home/user/.local/share/data/WhatPulse/whatpulse.db" 
04-12-2014 10:16:33.081 DEBUG Database check:  "ok" 
04-12-2014 10:16:33.082 DEBUG Opened database in:  12 ms 
04-12-2014 10:16:33.088 DEBUG Found proper permissions for network monitoring 
04-12-2014 10:16:33.088 DEBUG Encrypted file:  "/home/user/.local/share/data/WhatPulse/whatpulse.wpw" 
04-12-2014 10:16:33.115 DEBUG Loaded application aliases 
04-12-2014 10:16:33.115  WARN PF_PACKET is not available. 
04-12-2014 10:16:33.117 DEBUG No pcap network devices found! Did you run the ChmodBPF script? 
04-12-2014 10:16:33.117 DEBUG Fallback to ProcNetworkTrafficMonitor. Only interface statistics available.  
04-12-2014 10:16:33.157 DEBUG Opening GeoIP database:  "/home/user/.local/share/data/WhatPulse/GeoIP.dat" 
04-12-2014 10:16:33.193 DEBUG WhatPulse  2.4.1  has started 
04-12-2014 10:16:33.273  WARN Unable to find videocard in our database with vendor  "10DE" , device  "1381"  and subsys  "1458362E" 
04-12-2014 10:16:33.387 DEBUG Starting timers and collector.. 
04-12-2014 10:16:33.389 DEBUG Creating device listener for "/dev/input/event0" 
04-12-2014 10:16:33.389 DEBUG Creating device listener for "/dev/input/event1" 
04-12-2014 10:16:33.389 DEBUG Creating device listener for "/dev/input/event10" 
04-12-2014 10:16:33.390 DEBUG Creating device listener for "/dev/input/event11" 
04-12-2014 10:16:33.390 DEBUG Creating device listener for "/dev/input/event12" 
04-12-2014 10:16:33.391 DEBUG Creating device listener for "/dev/input/event13" 
04-12-2014 10:16:33.391 DEBUG Creating device listener for "/dev/input/event14" 
04-12-2014 10:16:33.391 DEBUG Creating device listener for "/dev/input/event15" 
04-12-2014 10:16:33.391 DEBUG Creating device listener for "/dev/input/event2" 
04-12-2014 10:16:33.391 DEBUG Creating device listener for "/dev/input/event3" 
04-12-2014 10:16:33.392 DEBUG Creating device listener for "/dev/input/event4" 
04-12-2014 10:16:33.392 DEBUG Creating device listener for "/dev/input/event5" 
04-12-2014 10:16:33.393 DEBUG Creating device listener for "/dev/input/event6" 
04-12-2014 10:16:33.393 DEBUG Creating device listener for "/dev/input/event7" 
04-12-2014 10:16:33.393 DEBUG Creating device listener for "/dev/input/event8" 
04-12-2014 10:16:33.393 DEBUG Creating device listener for "/dev/input/event9" 
04-12-2014 10:17:03.709 DEBUG Version is up to date! Current:  "2.4.1"  - Latest:  "2.4.1"  

So it appears that libpcap is properly installed, but cannot itself find the network device.

I have tried uninstalling and reinstalling all of the required packages several times, and have also tried different versions of whatpulse I could find (including old betas from the forums and 32 bit versions) without success.

Any thoughts? Thanks.

Have you installed the libpcap packages? On Linux the client basically tries 3 ways to get network info; pcap, pfring and finally getting the stats from /proc/ - The latter doesn’t provide network stats that you can pulse, as the client can’t tell the difference between local and internet traffic.

PCap is the most reliable, make sure you have that installed.

Yes, I do have libpcap installed. And the whatpulse log shows that:

04-12-2014 10:16:33.117 DEBUG No pcap network devices found! Did you run the ChmodBPF script? 
04-12-2014 10:16:33.117 DEBUG Fallback to ProcNetworkTrafficMonitor. Only interface statistics available.  

When I have tried uninstalling/reinstalling libpcap, this section changes, noting that libpcap is not found.

Here is what I have installed:

$ dpkg --get-selections | grep pcap
libpcap-dev					install
libpcap0.8:amd64				install
libpcap0.8-dev					install
libpcapnav0					install
pcaputils					install

Also, something I just tried, if I run whatpulse with sudo, my network card is detected by libpcap and network traffic IS added to unpulsed. However, it is not measured correctly. For instance, if I transfer a 100 mb file while running whatpulse as superuser, only ~10 mb gets measured and added to unpulsed. Running it normally, the full 100 mb is measured, but none is added to unpulsed.

You shouldn’t run it as root anyway, so never mind the discrepancy.

So it detects that setcap has been properly run, it detects pcap but cannot list any interfaces with pcap. Do you have any strict permission stuff set up, something like that selinux pain in the butt?

There’s not really another reason why pcap would not turn up with any interfaces, if the client sees the library and can use it, besides when it’s being blocked from it.

Nope, I don’t have SELinux installed.

Interestingly, when I run this simple test:

#include <stdio.h>
#include <pcap.h>

int main(int argc, char *argv[]) {
    char *dev, errbuf[PCAP_ERRBUF_SIZE];

    dev = pcap_lookupdev(errbuf);
    if(dev == NULL) {
        printf("Error: %s\n", errbuf);
        return(2);
    }

    printf("Device: %s\n", dev);
    return(0);
}

I only find a device when using sudo, even when running setcap first (and getcap confirms the capabilities are set).

I had this issue for quite some time before I eventually figured out what I had missed. In my case I have filesystems which are writable by regular users mounted with the nosuid mount option, a wise security precaution given the obvious potential risk of allowing unprivileged accounts to have the possibility to modify an suid executable.

I failed to realize that the nosuid mount option covers the grant of limited root privileges through file capabilities also. This was not initially obvious given the option still has it’s historic nosuid name but when considering that file capabilities were created as an improved way of granting special privileges to certain executables without having to grant full root extending the option to cover these does make sense.

You can easily check if this is the problem you are having by typing the following command from the directory where you have whatpulse installed:

cat /proc/mounts | grep -P "\s$(stat --format=%m ./whatpulse)\s"

You should get a line of output like this showing the block device node, mount point, filesystem type and mount options

/dev/mapper/vg-home /home ext4 rw,nosuid,resuid=1000,resgid=100,commit=600,stripe=256,data=ordered 0 0

If you see nosuid in the last column there like in this case then you will not be able to use file capabilities to grant the CAP_NET_ADMIN and CAP_NET_RAW capabilities correctly. If this is the case for you I would recommend leaving the file system mount options alone as there is good reason to not allow suid on user writable portions of the file system.

The best solution would be to install whatpulse to the system binaries path either in /bin or probably better in /usr/bin both of these locations contain other suid or setcap executables on a typical desktop system (eg /bin/ping, /bin/passwd, /usr/bin/cdrecord, /usr/bin/gpasswd).

To install whatpulse into /usr/bin with the proper permissions and capabilities:

sudo mv ./whatpulse /usr/bin
sudo chown root.root /usr/bin/whatpulse
sudo chmod 755 /usr/bin/whatpulse
sudo setcap 'CAP_NET_ADMIN,CAP_NET_RAW=ep' /usr/bin/whatpulse
ln -s /usr/bin/whatpulse .

Many thanks! I had the client running from inside my home dir and your solution fixed it for me.