AgentSkillsCN

mmt-operate

运行MMT-Probe,理解报告输出,运用动态控制,并对运行过程进行故障排除。

SKILL.md
--- frontmatter
name: mmt-operate
version: 1.0.0
description: Run MMT-Probe, understand report output, use dynamic control, and troubleshoot operations

MMT-Probe Operation

Guide the user through running MMT-Probe, interpreting its output, and controlling it at runtime.

Triggers

Use this skill when the user asks to:

  • Run or start MMT-Probe
  • Analyze a PCAP file
  • Understand report output or data format
  • Check probe status or logs
  • Control the probe at runtime (start, stop, update)
  • Troubleshoot operational issues (no output, packet drops, etc.)

Important: Docker / Non-root Environments

Inside Docker containers you typically run as root, so sudo is not needed and may not be available. Omit sudo from all commands when running inside Docker. The commands below show sudo for host use; drop it in containers. Note also that systemctl is typically unavailable inside containers.

Execution Modes

Live capture on interface

bash
sudo ./probe -i eth0          # on host (needs root for raw capture)
./probe -i eth0                # in Docker (already root)

Offline PCAP analysis

bash
./probe -t /path/to/capture.pcap   # no sudo needed for file analysis

With a configuration file

bash
./probe -c /path/to/mmt-probe.conf

As a systemd service

Available when installed to /opt/mmt/probe/ on a host with systemd (not available inside Docker).

bash
sudo systemctl start mmt-probe
sudo systemctl stop mmt-probe
sudo systemctl status mmt-probe

With Docker

bash
# Live capture
docker run --network=host ghcr.io/montimage/mmt-probe:latest \
    mmt-probe -i eth0 -Xfile-output.enable=true

# PCAP file analysis
docker run -v /path/to/pcaps:/data ghcr.io/montimage/mmt-probe:latest \
    mmt-probe -t /data/capture.pcap

Quick test

bash
./probe -t test/UA-Exp01.pcap -Xfile-output.output-dir=/tmp/mmt-test/
ls -la /tmp/mmt-test/

CLI Flags Reference

FlagDescriptionExample
-vPrint version info and exit./probe -v
-hPrint usage help and exit./probe -h
-c <file>Use specific config file./probe -c my.conf
-t <pcap>Offline mode: analyze PCAP file./probe -t capture.pcap
-i <iface>Online mode: capture on interface./probe -i eth0
-X <key>=<val>Override a config parameter-Xthread-nb=4
-xList all overridable parameters./probe -x

Multiple -X flags can be combined:

bash
./probe -i eth0 -Xfile-output.enable=true -Xsecurity.enable=true -Xthread-nb=2

Use sudo on a host system for live capture. In Docker, omit it.

Report Types

All reports share a common header:

ColumnNameDescription
1format_idReport type identifier
2probe_idProbe instance identifier
3sourceInterface name or PCAP file path
4timestampSeconds.micros (packet time or real time for id=201)

Report Type Summary

Format IDNameDescriptionChannel
1StartupSent once at probe start (version info)
10SecuritySecurity alerts from MMT-Securitysecurity.report
30LicenseLicense status reportslicense.stat
99Protocol StatsProtocol/app statistics (non-session)
100SessionPer-flow session statisticssession.report
200StatusProbe liveness + packet counts (online only)
201System InfoCPU and memory usage of the host
301HTTP ReconstructMetadata of reconstructed HTTP files
400eNodeB TopologyLTE element add/remove events
401eNodeB QoSUE dedicated bearer allocation
1000EventCustom event-triggered reportsevent.report

Status Report (ID 200)

Reports probe liveness during live capture. Created every stats-period seconds.

ColNameDescription
5nic-pktPackets received by NIC
6nic-lostPackets dropped by NIC
7mmt-pktPackets received by MMT
8mmt-lostPackets dropped by MMT
9mmt-bytesBytes received by MMT
10mmt-b-lostBytes dropped by MMT

System Info Report (ID 201)

ColNameDescription
5user_cpu% CPU in user mode
6sys_cpu% CPU in system mode
7idle% CPU idle
8avail_memAvailable memory (kB)
9total_memTotal memory (kB)

Example: 201,3,"eth0",1498126191.034157,98.57,0.72,0.72,1597680,2048184

Session Report (ID 100)

Per-flow statistics with 41 common columns including:

  • Client/server IP and MAC addresses (cols 20-23)
  • Session ID, ports (cols 24-26)
  • Handshake time, app response time, data transfer time (cols 28-30)
  • Client/server RTT min/max/avg (cols 31-36)
  • TCP retransmissions (cols 37-38)
  • Sub-format ID (col 39) determining extension fields

Session sub-formats

Sub-formatProtocolExtension Fields
0Default(none)
1HTTPResponse time, hostname, MIME, referrer, CDN, URI, method, status
2SSLServer name, CDN flag
3RTPPacket loss rate, burstiness, max jitter, order errors
4FTPUsername, password, file size, file name, direction
5GTPOuter IP src/dst, TEIDs array

Event Report (ID 1000)

ColNameDescription
5event-idString identifier of the event-report
6eventEvent attribute value that triggered the report
7+attributesRegistered attributes (variable count)

Example: 1000,3,"./file.pcap",1399407481.189781,1,172.19.190.67,172.19.190.67

Security Report (ID 10)

ColNameDescription
5property_idRule identifier number
6verdictdetected, not_detected, respected, not_respected, unknown
7typeattack, security, test, evasion
8causeDescription of the property
9historyJSON object with events leading to the verdict

Output Channel Quick Reference

Reports can be directed to specific output channels using output-channel:

code
output-channel = {file}           # File only
output-channel = {redis, kafka}   # Redis and Kafka
output-channel = {file, mongodb, socket, mqtt}  # Multiple
output-channel = {stdout}         # Console output
output-channel = {}               # Default (file)

Each channel must be globally enabled (e.g., kafka-output.enable = true) for the routing to work.

Dynamic Control

Requires: DYNAMIC_CONFIG_MODULE and dynamic-config.enable = true

Control the probe at runtime via Unix domain socket (default: /tmp/mmt.sock).

Start processing

bash
printf "start\0" | nc -U /tmp/mmt.sock          # in Docker (already root)
printf "start\0" | sudo nc -U /tmp/mmt.sock      # on host

Returns: 0=success, 1=already running, 2=error

Stop processing

bash
printf "stop\0" | nc -U /tmp/mmt.sock

Returns: 0=success, 1=not running, 2=error

Update configuration

bash
printf 'update{\ninput.source="enp0s3"\ninput.mode=ONLINE\n}\0' | nc -U /tmp/mmt.sock

Returns: 0=updated (no restart), 1=updated (restarted), 2=syntax error, 3=internal error

List parameters

bash
printf 'ls\0' | nc -U /tmp/mmt.sock

Viewing Logs

bash
# Systemd service logs
journalctl -t mmt-probe

# Follow logs in real time
journalctl -t mmt-probe -f

# Logs from last hour
journalctl -t mmt-probe --since "1 hour ago"

Performance Tips

  1. Increase threads for high-throughput: -Xthread-nb=4
  2. Increase queue size to reduce drops: -Xthread-queue=524288
  3. Use BPF filters to reduce processing load: -Xinput.pcap-filter="tcp port 80"
  4. Increase cache for batch efficiency: -Xoutput.cache-max=500000
  5. Disable unused reports to reduce overhead:
    • -Xsession-report.http=false -Xsession-report.rtp=false
  6. Use DPDK for 10Gbps+ links (requires DPDK build)

Troubleshooting Operations

ProblemPossible CauseSolution
No output filesfile-output.enable is false-Xfile-output.enable=true
No output filesWrong output directoryCheck -Xfile-output.output-dir path exists
Probe exits immediatelyLicense check failedRemove LICENSE_MODULE or provide license.key
High nic-lost in status reportsNIC buffer too smallIncrease input.buffer-size
High mmt-lost in status reportsProcessing too slowIncrease thread-nb and thread-queue
Packet drops with multi-threadThread queue fullIncrease thread-queue value
Permission denied on interfaceMissing root/capabilitiesRun with sudo on host, or use --network=host in Docker
error while loading shared librariesLibrary path issueRun ldconfig (or sudo ldconfig on host)
sudo: command not foundRunning inside DockerOmit sudo — you are already root in Docker
High memory usageToo many active sessionsReduce session-timeout values
Reports not in expected channelChannel not enabledEnsure global <channel>-output.enable = true

Cross-references

  • To install MMT-Probe, use /mmt-install.
  • To configure the probe, use /mmt-configure.
  • For general help and architecture, use /mmt-help.