메뉴
Run MMT-Probe, understand report output, use dynamic control, and troubleshoot operations
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Configure MMT-Probe input, output channels, reports, security, and performance tuning
General help for MMT-Probe — architecture, protocols, modules, troubleshooting, and ecosystem
Install MMT-Probe and its dependencies from source, packages, or Docker
| name | mmt-operate |
| version | 1.0.0 |
| description | Run MMT-Probe, understand report output, use dynamic control, and troubleshoot operations |
Guide the user through running MMT-Probe, interpreting its output, and controlling it at runtime.
Use this skill when the user asks to:
Inside Docker containers you typically run as root, so sudo is not needed and may not be available. Omit sudo from all commands when running inside Docker. The commands below show sudo for host use; drop it in containers. Note also that systemctl is typically unavailable inside containers.
sudo ./probe -i eth0 # on host (needs root for raw capture)
./probe -i eth0 # in Docker (already root)
./probe -t /path/to/capture.pcap # no sudo needed for file analysis
./probe -c /path/to/mmt-probe.conf
Available when installed to /opt/mmt/probe/ on a host with systemd (not available inside Docker).
sudo systemctl start mmt-probe
sudo systemctl stop mmt-probe
sudo systemctl status mmt-probe
# Live capture
docker run --network=host ghcr.io/montimage/mmt-probe:latest \
mmt-probe -i eth0 -Xfile-output.enable=true
# PCAP file analysis
docker run -v /path/to/pcaps:/data ghcr.io/montimage/mmt-probe:latest \
mmt-probe -t /data/capture.pcap
./probe -t test/UA-Exp01.pcap -Xfile-output.output-dir=/tmp/mmt-test/
ls -la /tmp/mmt-test/
| Flag | Description | Example |
|---|---|---|
-v | Print version info and exit | ./probe -v |
-h | Print usage help and exit | ./probe -h |
-c <file> | Use specific config file | ./probe -c my.conf |
-t <pcap> | Offline mode: analyze PCAP file | ./probe -t capture.pcap |
-i <iface> | Online mode: capture on interface | ./probe -i eth0 |
-X <key>=<val> | Override a config parameter | -Xthread-nb=4 |
-x | List all overridable parameters | ./probe -x |
Multiple -X flags can be combined:
./probe -i eth0 -Xfile-output.enable=true -Xsecurity.enable=true -Xthread-nb=2
Use
sudoon a host system for live capture. In Docker, omit it.
All reports share a common header:
| Column | Name | Description |
|---|---|---|
| 1 | format_id | Report type identifier |
| 2 | probe_id | Probe instance identifier |
| 3 | source | Interface name or PCAP file path |
| 4 | timestamp | Seconds.micros (packet time or real time for id=201) |
| Format ID | Name | Description | Channel |
|---|---|---|---|
| 1 | Startup | Sent once at probe start (version info) | — |
| 10 | Security | Security alerts from MMT-Security | security.report |
| 30 | License | License status reports | license.stat |
| 99 | Protocol Stats | Protocol/app statistics (non-session) | — |
| 100 | Session | Per-flow session statistics | session.report |
| 200 | Status | Probe liveness + packet counts (online only) | — |
| 201 | System Info | CPU and memory usage of the host | — |
| 301 | HTTP Reconstruct | Metadata of reconstructed HTTP files | — |
| 400 | eNodeB Topology | LTE element add/remove events | — |
| 401 | eNodeB QoS | UE dedicated bearer allocation | — |
| 1000 | Event | Custom event-triggered reports | event.report |
Reports probe liveness during live capture. Created every stats-period seconds.
| Col | Name | Description |
|---|---|---|
| 5 | nic-pkt | Packets received by NIC |
| 6 | nic-lost | Packets dropped by NIC |
| 7 | mmt-pkt | Packets received by MMT |
| 8 | mmt-lost | Packets dropped by MMT |
| 9 | mmt-bytes | Bytes received by MMT |
| 10 | mmt-b-lost | Bytes dropped by MMT |
| Col | Name | Description |
|---|---|---|
| 5 | user_cpu | % CPU in user mode |
| 6 | sys_cpu | % CPU in system mode |
| 7 | idle | % CPU idle |
| 8 | avail_mem | Available memory (kB) |
| 9 | total_mem | Total memory (kB) |
Example: 201,3,"eth0",1498126191.034157,98.57,0.72,0.72,1597680,2048184
Per-flow statistics with 41 common columns including:
| Sub-format | Protocol | Extension Fields |
|---|---|---|
| 0 | Default | (none) |
| 1 | HTTP | Response time, hostname, MIME, referrer, CDN, URI, method, status |
| 2 | SSL | Server name, CDN flag |
| 3 | RTP | Packet loss rate, burstiness, max jitter, order errors |
| 4 | FTP | Username, password, file size, file name, direction |
| 5 | GTP | Outer IP src/dst, TEIDs array |
| Col | Name | Description |
|---|---|---|
| 5 | event-id | String identifier of the event-report |
| 6 | event | Event attribute value that triggered the report |
| 7+ | attributes | Registered attributes (variable count) |
Example: 1000,3,"./file.pcap",1399407481.189781,1,172.19.190.67,172.19.190.67
| Col | Name | Description |
|---|---|---|
| 5 | property_id | Rule identifier number |
| 6 | verdict | detected, not_detected, respected, not_respected, unknown |
| 7 | type | attack, security, test, evasion |
| 8 | cause | Description of the property |
| 9 | history | JSON object with events leading to the verdict |
Reports can be directed to specific output channels using output-channel:
output-channel = {file} # File only
output-channel = {redis, kafka} # Redis and Kafka
output-channel = {file, mongodb, socket, mqtt} # Multiple
output-channel = {stdout} # Console output
output-channel = {} # Default (file)
Each channel must be globally enabled (e.g., kafka-output.enable = true) for the routing to work.
Requires: DYNAMIC_CONFIG_MODULE and dynamic-config.enable = true
Control the probe at runtime via Unix domain socket (default: /tmp/mmt.sock).
printf "start\0" | nc -U /tmp/mmt.sock # in Docker (already root)
printf "start\0" | sudo nc -U /tmp/mmt.sock # on host
Returns: 0=success, 1=already running, 2=error
printf "stop\0" | nc -U /tmp/mmt.sock
Returns: 0=success, 1=not running, 2=error
printf 'update{\ninput.source="enp0s3"\ninput.mode=ONLINE\n}\0' | nc -U /tmp/mmt.sock
Returns: 0=updated (no restart), 1=updated (restarted), 2=syntax error, 3=internal error
printf 'ls\0' | nc -U /tmp/mmt.sock
# Systemd service logs
journalctl -t mmt-probe
# Follow logs in real time
journalctl -t mmt-probe -f
# Logs from last hour
journalctl -t mmt-probe --since "1 hour ago"
-Xthread-nb=4-Xthread-queue=524288-Xinput.pcap-filter="tcp port 80"-Xoutput.cache-max=500000-Xsession-report.http=false -Xsession-report.rtp=false| Problem | Possible Cause | Solution |
|---|---|---|
| No output files | file-output.enable is false | -Xfile-output.enable=true |
| No output files | Wrong output directory | Check -Xfile-output.output-dir path exists |
| Probe exits immediately | License check failed | Remove LICENSE_MODULE or provide license.key |
High nic-lost in status reports | NIC buffer too small | Increase input.buffer-size |
High mmt-lost in status reports | Processing too slow | Increase thread-nb and thread-queue |
| Packet drops with multi-thread | Thread queue full | Increase thread-queue value |
Permission denied on interface | Missing root/capabilities | Run with sudo on host, or use --network=host in Docker |
error while loading shared libraries | Library path issue | Run ldconfig (or sudo ldconfig on host) |
sudo: command not found | Running inside Docker | Omit sudo — you are already root in Docker |
| High memory usage | Too many active sessions | Reduce session-timeout values |
| Reports not in expected channel | Channel not enabled | Ensure global <channel>-output.enable = true |
/mmt-install./mmt-configure./mmt-help.