Debugging

This guide helps diagnose and resolve common HookProbe issues.

Quick Diagnostics

Health Check

hookprobe-ctl health --verbose

Service Status

hookprobe-ctl status
systemctl status hookprobe-agent.service

View Logs

hookprobe-ctl logs -f
journalctl -u hookprobe-agent.service --since "1 hour ago"

Common Issues

Service Won’t Start

Symptoms:

hookprobe-ctl status shows “stopped”
Service fails to start

Diagnostics:

# Check status
systemctl status hookprobe-agent.service

# View detailed errors
journalctl -u hookprobe-agent.service -n 100

# Check provision
systemctl status hookprobe-provision.service

Common Causes:

Missing dependencies

sudo apt install -y podman openvswitch-switch
sudo systemctl start hookprobe-provision.service

Port conflict

sudo ss -tlnp | grep 8888
# Kill conflicting process or change port

Permission issues

sudo chown -R root:root /opt/hookprobe
sudo chmod 755 /opt/hookprobe

XDP Not Loading

Symptoms:

No XDP in ip link show
hookprobe-ctl metrics | grep xdp shows zeros

Diagnostics:

# Check kernel version (need 5.4+)
uname -r

# Check NIC driver
ethtool -i eth0 | grep driver

# Check XDP programs
bpftool prog list

Solutions:

Wrong mode

# Try generic mode
XDP_MODE="skb"
sudo systemctl restart hookprobe-agent.service

Unsupported NIC
- Some NICs only support generic XDP
- Check NIC compatibility

Kernel too old

# Upgrade kernel (Ubuntu)
sudo apt install linux-generic-hwe-22.04
sudo reboot

High QSecBit Score

Symptoms:

Score stuck in AMBER or RED
False positives

Diagnostics:

# View score breakdown
hookprobe-ctl metrics | jq '.qsecbit'

# Check which component is high
hookprobe-ctl metrics | jq '.qsecbit.components'

Analysis:

High Component	Likely Cause
threats	Active attack or false positive
mobile	Untrusted network (normal on public WiFi)
ids	IDS rules triggering (review alerts)
xdp	High packet rate (DDoS or busy network)
dnsxai	Many blocked domains (check if legitimate)

Solutions:

Review alerts
Terminal window
```
hookprobe-ctl logs | grep alert
```

Adjust thresholds

QSECBIT_AMBER_THRESHOLD=0.50
QSECBIT_RED_THRESHOLD=0.75

Whitelist false positives
/etc/hookprobe/dnsxai.yaml
```
whitelist:
  - "legitimate-domain.com"
```

High Memory Usage

Symptoms:

System sluggish
OOM kills in logs

Diagnostics:

# Check memory usage
free -h

# Check HookProbe processes
ps aux | grep hookprobe

# Check container memory
podman stats --no-stream

Solutions:

Set memory limits

sudo systemctl edit hookprobe-agent.service

[Service]
MemoryMax=1G

Reduce log retention
```
logging:
  max_size_mb: 50
  max_files: 5
```
Switch to efficiency mode
Terminal window
```
hookprobe-ctl hotshot --mode efficiency
```

WiFi Hotspot Not Working (Guardian)

Symptoms:

Can’t see “HookProbe-Guardian” WiFi
Clients can’t connect

Diagnostics:

# Check hostapd
systemctl status hostapd
journalctl -u hostapd -n 50

# Check WiFi interfaces
iw dev

# Check DHCP
systemctl status dnsmasq

Solutions:

Wrong country code

# Check/set WiFi country
sudo raspi-config  # Localisation Options

Interface not available

# Check WiFi adapters
iw dev

# Restart networking
sudo systemctl restart NetworkManager

Channel conflict

# Edit hostapd.conf
channel=6  # Try different channel

Mesh Connection Failed

Symptoms:

hookprobe-ctl mesh status shows disconnected
No peers visible

Diagnostics:

# Check mesh status
hookprobe-ctl mesh status

# Check HTP connectivity
nc -vuz validator1.hookprobe.mesh 8144

# Check gossip port
nc -vz validator1.hookprobe.mesh 7946

Solutions:

Firewall blocking

sudo ufw allow 8144/udp
sudo ufw allow 7946/tcp
sudo ufw allow 7946/udp

Wrong bootstrap nodes

gossip:
  bootstrap_nodes:
    - "validator1.hookprobe.mesh:7946"

Network issue

# Test DNS resolution
dig validator1.hookprobe.mesh

# Test connectivity
ping validator1.hookprobe.mesh

Log Analysis

Log Locations

Log	Path
Agent	`/var/log/hookprobe/agent.log`
Provision	`/var/log/hookprobe/provision.log`
Update	`/var/log/hookprobe/update.log`
NAPSE	`/var/log/napse/events.json`

Search Logs

# Find errors
grep -i error /var/log/hookprobe/agent.log

# Find specific event
grep "QSecBit" /var/log/hookprobe/agent.log | tail -20

# JSON log analysis
cat /var/log/hookprobe/agent.log | jq 'select(.level=="ERROR")'

Log Levels

# Enable debug logging
sudo systemctl edit hookprobe-agent.service

[Service]
Environment="LOG_LEVEL=DEBUG"

sudo systemctl daemon-reload
sudo systemctl restart hookprobe-agent.service

Debug Mode

Enable Debug Output

# Run agent in foreground with debug
sudo /opt/hookprobe/agent/main.py --debug --foreground

Debug Endpoints

# Debug metrics
curl http://localhost:8888/debug/metrics

# Debug state
curl http://localhost:8888/debug/state

# Debug connections
curl http://localhost:8888/debug/connections

Forensic Analysis

Capture State

# Create debug bundle
hookprobe-ctl debug-bundle --output /tmp/debug-$(date +%Y%m%d).tar.gz

What’s Included

Configuration files
Recent logs
System information
Network state
Service status
Metrics snapshot

Getting Help

Before Reporting

Check this debugging guide
Create debug bundle
Note steps to reproduce

Report Issues

GitHub: https://github.com/hookprobe/hookprobe/issues
Email: [email protected]

Include

Debug bundle
HookProbe version
OS and kernel version
Steps to reproduce
Expected vs actual behavior

Next Steps

Configuration - Review settings
CLI Reference - Command help
Architecture - System understanding