From netramet-owner Tue Feb 1 02:45:33 2000

From netramet-owner Tue Feb 1 02:45:33 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA08592
for netramet-outgoing; Tue, 1 Feb 2000 02:40:27 +1300 (NZDT)
Received: from ncrottchoexint9.navcanada.ca (nc2.navcanada.ca [204.191.53.162])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA08586
for <[email protected]>; Tue, 1 Feb 2000 02:40:24 +1300 (NZDT)
Received: from thewall (thewall.navcanada.ca [172.20.1.10]) by ncrottchoexint9.navcanada.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
id RLRTQFRH; Mon, 31 Jan 2000 08:45:11 -0500
Received: from gatewayserver2 ([172.20.7.149]) by thewall.navcanada.ca; Mon, 31 Jan 2000 08:34:41 +0000 (EST)
Received: from SMTP (NCROTTCHOOUSCAN [172.20.7.147]) by ncrottchoexin5.navcanada.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
id C7L63J74; Mon, 31 Jan 2000 08:41:04 -0500
Received: from ncrottchoexint1.navcanada.ca ([172.20.1.15]) by 172.20.7.147
(Norton AntiVirus for Internet Email Gateways 1.0) ;
Mon, 31 Jan 2000 13:49:07 0000 (GMT)
Received: by ncrottchoexint1.navcanada.ca with Internet Mail Service (5.5.2448.0)
id <D593P1GH>; Mon, 31 Jan 2000 08:40:08 -0500
Message-ID: <8D6E89A27490D21190240008C75D92BF0100DD@ncrotttscexusr1.navcanada.ca>
From: "Lu, Mark" <[email protected]>
To: Marcelo Pias <[email protected]>
Cc: [email protected]
Subject: RE: NeTraMet under windows
Date: Mon, 31 Jan 2000 08:40:08 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF6BF0.AFAEA1A6"
Sender: [email protected]
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01BF6BF0.AFAEA1A6
Content-Type: text/plain;
charset="iso-8859-1"

I have seen a port of libpcap with src for windoze on the net...search under
windump (a port of tcpdump)

-----Original Message-----
From: Nevil Brownlee [mailto:[email protected]]
Sent: Friday, January 28, 2000 9:52 AM
To: Marcelo Pias
Cc: [email protected]; [email protected]
Subject: Re: NeTraMet under windows

Hello Marcello:

> I was wondering if you know any implementation of
NeTraMet for
> Windows (95,98...). I tried to use the PC version of
NeTraMet but it
> didn't work under Windows 98. I would be interested in the
NeTraMet
> running together with other applications (browsers, email
programs...) and
> measuring this traffic, basically on the end side.

I don't know of one. It would be easy to port NeMaC and
friends,
since they only need BSD sockets (Winsock shouldn't be too
hard).
To port NeTraMet requires you to observe packets on an
interface
in promiscuous mode, ideally by porting the libpcap library
to
Windows. IF you have a version of Winsock which allows
promiscuous mode, maybe it wouldn't be too hard. But, as I
said,
I don't know of anyone who's done this yet.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology
Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of
Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland,
New Zealand |

+---------------------------------------------------------------------L

------_=_NextPart_001_01BF6BF0.AFAEA1A6
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>RE: NeTraMet under windows</TITLE>
</HEAD>
<BODY>

I have seen a port of libpcap with src =
for windoze on the net...search under windump (a port of =
tcpdump)

<UL><UL>
<A NAME=3D"_MailData">-----Original =
Message-----</A>
 From:   Nevil Brownlee =
[<A =
HREF=3D"mailto:[email protected]">mailto:[email protected].=
nz</A>]
 Sent:   Friday, January 28, 2000 9:52 AM
 To:     Marcelo Pias
 Cc:     [email protected]; =
[email protected]
 Subject:       =
 Re: NeTraMet under windows


Hello Marcello:


>       I was wondering =
if you know any implementation of NeTraMet for
 > Windows (95,98...). I tried to =
use the PC version of NeTraMet but it
 > didn't work under Windows 98. I =
would be interested in the NeTraMet
 > running together with other =
applications (browsers, email programs...) and
 > measuring this traffic, =
basically on the end side. 


I don't know of one.  It would be =
easy to port NeMaC and friends,
 since they only need BSD sockets =
(Winsock shouldn't be too hard).
 To port NeTraMet requires you to =
observe packets on an interface 
 in promiscuous mode, ideally by =
porting the libpcap library to 
 Windows.  IF you have a version =
of Winsock which allows 
 promiscuous mode, maybe it wouldn't =
be too hard.  But, as I said,
 I don't know of anyone who's done =
this yet.


Cheers, Nevil


+--------------------------------------------------------=
-------------+
 | Nevil =
Brownlee          &nbs=
p;          Director, =
Technology Development |
 | Phone: +64 9 373 7599 =
x8941        ITSS, The University of =
Auckland |
 |   FAX: +64 9 373 =
7021      Private Bag 92019, Auckland, New =
Zealand |
 +--------------------------------------------------------=
-------------L
 

</UL></UL>
</BODY>
</HTML>
------_=_NextPart_001_01BF6BF0.AFAEA1A6--

From netramet-owner Tue Feb 1 17:22:14 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id RAA11315
for netramet-outgoing; Tue, 1 Feb 2000 17:19:53 +1300 (NZDT)
Received: from exs24.ex.nus.edu.sg (exs24.ex.nus.edu.sg [137.132.116.25])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id RAA11280;
Tue, 1 Feb 2000 17:19:39 +1300 (NZDT)
Received: by exs24.ex.nus.edu.sg with Internet Mail Service (5.5.2650.21)
id <DN3GKAT9>; Tue, 1 Feb 2000 12:19:31 +0800
Message-ID: <[email protected]>
From: Rohit Joshi <[email protected]>
To: "'[email protected]'" <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: RE: NeTraMet under windows
Date: Tue, 1 Feb 2000 12:19:09 +0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

hi ,
We are in process of building a meter for windows. I hope as soon as it is
finished and tested, I will send u a copy. Anyway,if any one else is
interested,plz send us a mail.We are trying to make the meter completely
in Java.

Rgds,
Rohit Joshi

[email protected]
(Computer and Communication Labs,
National University of Singapore)

-----Original Message-----
From: Lu, Mark
To: Marcelo Pias
Cc: [email protected]
Sent: 1/31/00 9:40 PM
Subject: RE: NeTraMet under windows

I have seen a port of libpcap with src for windoze on the net...search
under windump (a port of tcpdump)

BM__MailData-----Original Message-----
From: Nevil Brownlee [ mailto:[email protected]
<mailto:[email protected]> ]
Sent: Friday, January 28, 2000 9:52 AM
To: Marcelo Pias
Cc: [email protected]; [email protected]
Subject: Re: NeTraMet under windows

Hello Marcello:

> I was wondering if you know any implementation of
NeTraMet for
> Windows (95,98...). I tried to use the PC version of NeTraMet but it
> didn't work under Windows 98. I would be interested in the NeTraMet
> running together with other applications (browsers, email programs...)
and
> measuring this traffic, basically on the end side.

I don't know of one. It would be easy to port NeMaC and
friends,
since they only need BSD sockets (Winsock shouldn't be too hard).
To port NeTraMet requires you to observe packets on an interface
in promiscuous mode, ideally by porting the libpcap library to
Windows. IF you have a version of Winsock which allows
promiscuous mode, maybe it wouldn't be too hard. But, as I said,
I don't know of anyone who's done this yet.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------L

From netramet-owner Wed Feb 2 06:07:33 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA15932
for netramet-outgoing; Wed, 2 Feb 2000 06:02:16 +1300 (NZDT)
Received: from ns.big-netz.de (ns.big-netz.de [195.126.133.130])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA15927
for <[email protected]>; Wed, 2 Feb 2000 06:02:11 +1300 (NZDT)
Received: from inside-gmbh.com (ns.inside.big-netz.de [195.126.133.134])
by ns.big-netz.de (8.9.3/8.9.3) with ESMTP id SAA16351
for <[email protected]>; Tue, 1 Feb 2000 18:21:07 GMT
Message-ID: <[email protected]>
Date: Tue, 01 Feb 2000 18:04:57 +0100
From: Robert Strycharczuk <[email protected]>
Organization: insIDe
X-Mailer: Mozilla 4.71 [en] (X11; I; Linux 2.2.13 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: [email protected]
Subject: flow timeouts ?
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

Hi,

I�m quite new to netramet but I was able to get it run :-)

After I�ve composed a nice rule file, NeMaC seems to collect the data as
required. My problem is in __analysing__ the flow-logs.

I�m interested in having absolute values of in/out traffic within a time
period using NeMaC.
My idea was:
set the timeout to a value less than the collection interval.
So when new flows arrive I should see only the new flows and those ones
which have been active during the last collection time. In no way there
should be flows that started e.g. one hour ago (using collection
intervals of 10s)

I�ve written an application that aimed to collect absolute traffic data
from NeMaC-Logfiles.

When analysing the log files my application has to hold the flows of the
last collection in memory (recent flows). Every new incoming flow is
beeing compared with the recent ones. If the new flow matched an old
one, the difference is built and stored properly as a recent flow in
memory (and marked as "still used") while storing only the difference of
the recent and current flow (the absolute value of traffic within a time
period) to database (or an other log file).

When all the new flows are proceeded, a procedure is invoked, which
removes the recent flows from memory, when they are not marked as "still
used".

But it doesn�t work :-( because Netramet seems not to remove the
inactive flows, although the garbage interval and the timeout are less
than the collection interval.
consider following scenario:
NeMaC timeout 10s, garbage interval 10s, collection interval 10s

time | action
#0 a flow occures and is stored by netramet
(only one flow is there)
#10 flow is read by NeMyC (only one traffic occured, so no
other flows are there)
#20 NeMaC reads again, no other flows are there, so nothing is reported
#21 a flow occures and matches the attributes of the old flow again
#30 NeMaC reads, and receives the same flow as in "10" with
the new values (In/Out)

The flow from time "#30" has the same ID, starttime and ruleID as this
one in "#10" although it should not, since the timeout for this flow occured
somewhere between #10 and #20.

I expected to see a NEW flow with the same attributes but different
ID,ruleID and starttime... but it is the same ;-(

The same problem will be, when switching to a new Logfile (using the
open-append-close mode), because the analyser wohld have to compare the
flows of the first collection from the new log file with all the previous
flows from the old log (or maybe even two! old logs).
when the timeout would do what I expected my app would only have to
compare the new flows with the flows of the LAST collection in the
previous log file...

So how can I know if a new reported flow is really new or maybe a one
hour old one ???
I can�t imagine that my app has to compare this new flow with ALL!! the
previous to be sure it was not used bevore.

Is there maybe a possibility to cause flow to be deleted from netramet
memory when the timeout period is over to let NeMaC only receive the
really new flows ???

or did I completely missunderstand the procedures that care for
timeouts of flows ???

Thanks for any suggestions

Robert

PS. I have read the archive or this list but couldn�t find any similar
problems (maybe I missed some mail ?)

From netramet-owner Wed Feb 2 23:22:54 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA15490
for netramet-outgoing; Wed, 2 Feb 2000 23:21:26 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id XAA15479
for <[email protected]>; Wed, 2 Feb 2000 23:21:22 +1300 (NZDT)
Received: from nosc.ja.net ([128.86.16.20])
by nosc.ja.net with esmtp (Exim 3.10 #2)
id 12Fwr7-0001S2-00; Wed, 02 Feb 2000 10:17:49 +0000
To: Robert Strycharczuk <[email protected]>
cc: [email protected]
Subject: Re: flow timeouts ?
In-reply-to: Your message of "Tue, 01 Feb 2000 18:04:57 +0100."
<[email protected]>
Date: Wed, 02 Feb 2000 10:17:44 +0000
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

> I'm quite new to netramet but I was able to get it run :-)
>
> After I've composed a nice rule file, NeMaC seems to collect the data as
> required. My problem is in __analysing__ the flow-logs.
>
> I'm interested in having absolute values of in/out traffic within a time
> period using NeMaC.

Have you looked at the fd_filter utility which comes with NeTraMet ? It is
there to convert the cumulative data stored by NeMaC into absolute figures.

Kevin Hoadley.

From netramet-owner Sat Feb 5 02:16:36 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA05956
for netramet-outgoing; Sat, 5 Feb 2000 02:10:13 +1300 (NZDT)
Received: from mailhub.fokus.gmd.de (mailhub.fokus.gmd.de [193.174.154.14])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA05951
for <[email protected]>; Sat, 5 Feb 2000 02:10:08 +1300 (NZDT)
Received: from buttle.fokus.gmd.de (buttle [193.175.133.78])
by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id OAA16092
for <[email protected]>; Fri, 4 Feb 2000 14:09:19 +0100 (MET)
Received: from fokus.gmd.de (localhost [127.0.0.1])
by buttle.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id OAA09464
for <[email protected]>; Fri, 4 Feb 2000 14:10:00 +0100 (MET)
Message-ID: <[email protected]>
Date: Fri, 04 Feb 2000 14:10:00 +0100
From: Lars Karow <[email protected]>
X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: Optimize NeTraMet ?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi,

is there anyone who can suggest settings to optimize NeTraMet
perfomance, especially CPU-Load, for the following operation systems?

Solaris 2.6 (on Ultra 60), FreeBSD 3.3, Linux, DOS (on P-III 450 Mhz,
128 MB Ram)

What compiler options can be (savely) used?
What flags should be enabled/disabled in the source files?
Are the available binaries in any form optimized, especially for DOS?

Is there anyone who has done perfomance measuraments recently?

Thanks in advance

Lars Karow
--
---------------------------------------------------------------------
Lars Karow email: [email protected]
GMD-Fokus tel: ++49 30 3463 7176
Kaiserin-Augusta-Allee 31 fax: ++49 30 3463 8176
10589 Berlin

From netramet-owner Tue Feb 8 00:52:22 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA13025
for netramet-outgoing; Tue, 8 Feb 2000 00:47:56 +1300 (NZDT)
Received: from ns.big-netz.de (ns.big-netz.de [195.126.133.130])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA13015
for <[email protected]>; Tue, 8 Feb 2000 00:47:50 +1300 (NZDT)
Received: from inside-gmbh.com (ns.inside.big-netz.de [195.126.133.134])
by ns.big-netz.de (8.9.3/8.9.3) with ESMTP id NAA17742
for <[email protected]>; Mon, 7 Feb 2000 13:06:30 GMT
Message-ID: <[email protected]>
Date: Mon, 07 Feb 2000 12:58:01 +0100
From: Robert Strycharczuk <[email protected]>
Organization: insIDe
X-Mailer: Mozilla 4.71 [en] (X11; I; Linux 2.2.13 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: [email protected]
Subject: different handling of SIGINT
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

Hi,

I noticed a feateure I miss when using NeMaC. When NeMaC receives a SIGINT (or
KILL) it shuts down cleanly. OK. But what about all the flows the meter stored
between the last collection and the shut down of NeMaC ? Yes, they are lost.

It would be nice to read the flows for a last time before shutting down.
This feature is needed when you change the rules for a meter or have to reboot
the machine (or any further reasons).

Just imagine, the collecting interval is one hour . 59 minutes after the last
collection the process has to be killed. So the flows of 59 minutes were not
logged!
When NeMaC would collect the flows one more time just before it shuts down, the
loss of data should be minimized. Only the flows between the shut down and
restart would be missed...

I inspected the NeMaC main source and think it souldn�t be too difficult to
change NeMaC�s behaviour.
The "request_stop" variable is tested in line 1060 of nmc.c. Am I right when I
think just to add some lines into the if (request_stop)-block and call a
sequence similar to the while-block (lines 1027-1041 especially the monitor()
func) to save the new flows to disk before shutting down??

The other possibility would be to add a third signal. This signal could force
NeMaC to collect the flows right now without waiting for events from the queue.
This gives the possibility to collect flows whenever it�s needed.

Did someone already such changes?
Is such a change possible without confusing the rest of code ? (I must say, I
didn�t read and analyse the whole sources)
And should I post such a request directly to [email protected] ??

have a nice day
Robert

From netramet-owner Wed Feb 16 12:56:21 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA21218
for netramet-outgoing; Wed, 16 Feb 2000 12:49:16 +1300 (NZDT)
Received: from mail.itlite.com.au (IDENT:[email protected] [203.34.154.49])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA21209
for <[email protected]>; Wed, 16 Feb 2000 12:49:13 +1300 (NZDT)
Received: from ws0 (ws0.itlite.com.au [203.34.154.50])
by mail.itlite.com.au (8.9.3/8.9.3) with SMTP id KAA04825
for <[email protected]>; Wed, 16 Feb 2000 10:52:34 +1100
Message-ID: <[email protected]>
From: "Mark S Hepworth" <[email protected]>
To: <[email protected]>
Subject: Netramet and One Ip
Date: Wed, 16 Feb 2000 10:42:01 +1100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: [email protected]
Precedence: bulk

Hello all.
Forgive my ignorance and stupidity should it arise but I was wondering

I have looked through the rule sets that I received after I installed
Netramet (Forgive incorrect capitalisation) and it just seems to be set up
for entire class c's is there any rule sets available that will account down
to one IP
If so where can I find them.

Thanks in advance
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mark S Hepworth ITLITE Internet Services
Internet Manager
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
WSYDAP : Peering in Western Sydney. IT DOES HAPPEN

From netramet-owner Thu Feb 17 07:31:19 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA19214
for netramet-outgoing; Thu, 17 Feb 2000 07:29:54 +1300 (NZDT)
Received: from server.letras.de (mail.letras.de [62.96.219.237])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA19200
for <[email protected]>; Thu, 17 Feb 2000 07:29:50 +1300 (NZDT)
Received: from camioneta.letras.de (IDENT:[email protected] [192.168.8.4])
by server.letras.de (8.9.3/8.9.0) with ESMTP id TAA03525
for <[email protected]>; Wed, 16 Feb 2000 19:29:15 +0100
Received: (from ra@localhost)
by camioneta.letras.de (8.8.7/8.8.5) id TAA32748
for [email protected]; Wed, 16 Feb 2000 19:29:16 +0100
Date: Wed, 16 Feb 2000 19:29:16 +0100
From: Ralph Angenendt <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: Problems with NeTraMet on Linux
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua"
Content-Disposition: inline
User-Agent: Mutt/1.1.3i
Sender: [email protected]
Precedence: bulk

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

after I found out, that we had a major flaw in our NeTraMet setup,
so that the traffic figures were way to high, another problem arises.

Today I saw, that a measured subnet had only 260 MB traffic this
month. Which is way too low.

So I figured out todays traffic and found out, that we had ~7 MB
traffic today, which can't be correct at all, as I downloaded
HP-Openmail for Linux today, which is alone ~25 MB.=20

We're collecting the flowdata from the meter every 2 Minutes, the
complete download took around two to three minutes (2 Mbit
line, ca. 180 Kbit/s on that download).

I can't find any of those packets (coming from/going to our subnet,
coming from/going to www.openmail.external.hp.com) in our
*.flows.001 - but they should be there.

Investigating further, I found out, that my boss downloaded an
evaluation version of Oracle just yesterday (which is around 200 MB)
- probably with an equally saturated 2 Mbit line. There is no
evidence in yesterdays flows-file, that this download did happen.

As I don't think, that this is a flaw in NeTraMet, I was wondering,
if anyone knows if Linux has Problems with capturing packets if you
have a high permanent traffic load. I seem to remember that I once
saw a statement about that, and that it would be better to implement
NeTraMet on a BSD machine than on a Linux machine.

Any help would be appreciated.

Thanks in advance,

Ralph
--=20
__________________________________________________________________________
Ralph Angenendt | "Military justice is to justice what military
http://www.letras.de | music is to music"
[email protected] | -- Groucho Marx

--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4qux8jB6yu/0L7eURAijyAJoDmqI/s63k7uwPzVduAteKy8wIuwCfXCwy
utO05+xWtL5xrXHPT9SyP/4=
=LjTM
-----END PGP SIGNATURE-----

--SUOF0GtieIMvvwua--

From netramet-owner Thu Feb 17 10:07:52 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA13758
for netramet-outgoing; Thu, 17 Feb 2000 10:07:11 +1300 (NZDT)
Received: from rm-rstar.sfu.ca ([email protected] [142.58.120.21])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA13748
for <[email protected]>; Thu, 17 Feb 2000 10:07:06 +1300 (NZDT)
Received: from fraser.sfu.ca ([email protected] [142.58.101.25])
by rm-rstar.sfu.ca (8.9.2/8.9.2/SFU-5.0H) with ESMTP id NAA12504
for <[email protected]>; Wed, 16 Feb 2000 13:07:03 -0800 (PST)
From: Peter Van Epp <[email protected]>
Received: (from vanepp@localhost)
by fraser.sfu.ca (8.9.2/8.9.2/SFU-5.0C) id NAA29402
for [email protected]; Wed, 16 Feb 2000 13:07:02 -0800 (PST)
Message-Id: <[email protected]>
Subject: Problems with NeTraMet on Linux (fwd)
To: [email protected]
Date: Wed, 16 Feb 2000 13:07:02 -0800 (PST)
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

<snip>
> As I don't think, that this is a flaw in NeTraMet, I was wondering,
> if anyone knows if Linux has Problems with capturing packets if you
> have a high permanent traffic load. I seem to remember that I once
> saw a statement about that, and that it would be better to implement
> NeTraMet on a BSD machine than on a Linux machine.
>

Without wishing to start a flame war (as has happened a number of times
on the nfr list), nfr (Network Flight Recorder) isn't supported on either of
Linux or NT because of poor packet capture performance. OpenBSD is reputed
to be the best they have found (and their platform of choice). That said I
have seen (perhaps on bugtraq?) in the last couple of days a Linux kernel
mod that is reputed by the author to do only one copy against *BSDs 2 copies.
There is an NFR performance comparison at

http://www.anzen.com/research/research_perform.html

which compares openBSD, BSDI, Linux and Solaris that may be of interest. In
my case on a 100 meg link with a 400 Meg Pentium running FreeBSD both argus
and NetRaMet report seeing more data than our Cisco believes it has put out
the interface. I haven't had time to poke at whats wrong to this point, but
I don't believe that I am losing packets on the link either (although I could
be wrong).

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

From netramet-owner Thu Feb 17 15:06:05 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id PAA02420
for netramet-outgoing; Thu, 17 Feb 2000 15:01:40 +1300 (NZDT)
Received: from netop.jaring.my (netop.jaring.my [192.228.128.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id PAA02392
for <[email protected]>; Thu, 17 Feb 2000 15:01:29 +1300 (NZDT)
Received: from idaham (idaham.mimos.my [192.228.132.103])
by netop.jaring.my (8.9.3/8.9.3) with SMTP id KAA27518
for <[email protected]>; Thu, 17 Feb 2000 10:00:57 +0800 (MYT)
From: "Mohd Idaham" <[email protected]>
To: <[email protected]>
Subject: NeTraMet and CISCO NetFlow
Date: Thu, 17 Feb 2000 10:05:03 +0800
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700
Importance: Normal
Sender: [email protected]
Precedence: bulk

Hi,
This is a very basic question.
Is there a way for me to capture data from CISCO NetFlow exporter using
NeTraMet. I would like to avoid using CISCO FlowCollector and FlowAnalyzer.

Where can I find info regarding this?

Thanks.

---idaham-

From netramet-owner Thu Feb 17 22:23:53 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA12342
for netramet-outgoing; Thu, 17 Feb 2000 22:22:47 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA12331
for <[email protected]>; Thu, 17 Feb 2000 22:22:42 +1300 (NZDT)
Received: from nosc.ja.net ([128.86.16.20])
by nosc.ja.net with esmtp (Exim 3.10 #2)
id 12LN8r-0005io-00; Thu, 17 Feb 2000 09:22:33 +0000
To: "Mohd Idaham" <[email protected]>
cc: [email protected]
Subject: Re: NeTraMet and CISCO NetFlow
In-reply-to: Your message of "Thu, 17 Feb 2000 10:05:03 +0800."
<[email protected]>
Date: Thu, 17 Feb 2000 09:22:32 +0000
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

> This is a very basic question.
> Is there a way for me to capture data from CISCO NetFlow exporter using
> NeTraMet. I would like to avoid using CISCO FlowCollector and FlowAnalyzer.
>
> Where can I find info regarding this?

There is a version of NeTraMet called NetFlowMet that does exactly this;
should be somewhere in the 4.3 releases (?)

Kevin Hoadley.

From netramet-owner Fri Feb 18 02:15:25 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA20751
for netramet-outgoing; Fri, 18 Feb 2000 02:14:17 +1300 (NZDT)
Received: from server.letras.de (mail.letras.de [62.96.219.237])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA20746
for <[email protected]>; Fri, 18 Feb 2000 02:14:13 +1300 (NZDT)
Received: from camioneta.letras.de (IDENT:[email protected] [192.168.8.4])
by server.letras.de (8.9.3/8.9.0) with ESMTP id OAA25841
for <[email protected]>; Thu, 17 Feb 2000 14:13:39 +0100
Received: (from ra@localhost)
by camioneta.letras.de (8.8.7/8.8.5) id OAA22388
for [email protected]; Thu, 17 Feb 2000 14:13:40 +0100
Date: Thu, 17 Feb 2000 14:13:40 +0100
From: Ralph Angenendt <[email protected]>
To: [email protected]
Subject: Re: Problems with NeTraMet on Linux (fwd)
Message-ID: <[email protected]>
References: <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s"
Content-Disposition: inline
User-Agent: Mutt/1.1.3i
In-Reply-To: <[email protected]>; from [email protected] on Wed, Feb 16, 2000 at 01:07:02PM -0800
Sender: [email protected]
Precedence: bulk

--Fig2xvG2VGoz8o/s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 16, 2000 at 01:07:02PM -0800, Peter Van Epp wrote:
>=20
> http://www.anzen.com/research/research_perform.html
>=20
> which compares openBSD, BSDI, Linux and Solaris that may be of interest.=
=20

Ah yes. Thank you (and the others who answered) very much. Looks
like I have to do some research if our WAN-Card is now better
supported under FreeBSD than it was before. Pity I can't just put
some machine besides our existing router to do the packet counting
(due to the design of our network).

Hrmpf, seems like another wasted weekend ;-)

Ralph
--=20
__________________________________________________________________________
Ralph Angenendt | "Military justice is to justice what military
http://www.letras.de | music is to music"
[email protected] | -- Groucho Marx

--Fig2xvG2VGoz8o/s
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4q/QEjB6yu/0L7eURAi4QAKCLX7QD8mEc0uZEL4A0asR9ZLRsnACgjmSy
SXFzIQLBAlLwqfntXdf6TGc=
=Ap3w
-----END PGP SIGNATURE-----

--Fig2xvG2VGoz8o/s--

From netramet-owner Fri Feb 18 04:50:12 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA26677
for netramet-outgoing; Fri, 18 Feb 2000 04:49:34 +1300 (NZDT)
Received: from da1server.martin.fl.us (da1server.martin.fl.us [198.136.32.5])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA26670
for <[email protected]>; Fri, 18 Feb 2000 04:49:30 +1300 (NZDT)
Received: from localhost (gmaxwell@localhost)
by da1server.martin.fl.us (8.8.8/8.8.8) with SMTP id KAA16477;
Thu, 17 Feb 2000 10:48:00 -0500 (EST)
Date: Thu, 17 Feb 2000 10:48:00 -0500 (EST)
From: Greg Maxwell <[email protected]>
X-Sender: gmaxwell@da1server
To: Ralph Angenendt <[email protected]>
cc: [email protected]
Subject: Re: Problems with NeTraMet on Linux (fwd)
In-Reply-To: <[email protected]>
Message-ID: <Pine.GSO.3.96.1000217104417.9094C-100000@da1server>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Thu, 17 Feb 2000, Ralph Angenendt wrote:

> On Wed, Feb 16, 2000 at 01:07:02PM -0800, Peter Van Epp wrote:
> >
> > http://www.anzen.com/research/research_perform.html
> >
> > which compares openBSD, BSDI, Linux and Solaris that may be of interest.
>
> Ah yes. Thank you (and the others who answered) very much. Looks
> like I have to do some research if our WAN-Card is now better
> supported under FreeBSD than it was before. Pity I can't just put
> some machine besides our existing router to do the packet counting
> (due to the design of our network).
>
> Hrmpf, seems like another wasted weekend ;-)

I'm treading lightly here as I don't want to start a flame war.

Has anyone looked into why Linux has this behavior and what needs to be
done to fix it? Linux *IS* open-source after all.

Also, does anyone know if these problems still occure with recent 2.3 (or
even recent 2.2 kernels)?

The reason I dont just accept 'if you want to run nettramet accuratly use
xBSD' is because we already have tons of OSes around here, adding another
just to run a flow-meter when Linux already fits most of our other uses
for it quite well makes no bussiness sence.

Thanks for any info.

From netramet-owner Fri Feb 18 05:13:44 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA27806
for netramet-outgoing; Fri, 18 Feb 2000 05:13:27 +1300 (NZDT)
Received: from server.letras.de (mail.letras.de [62.96.219.237])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA27797
for <[email protected]>; Fri, 18 Feb 2000 05:13:22 +1300 (NZDT)
Received: from camioneta.letras.de (IDENT:[email protected] [192.168.8.4])
by server.letras.de (8.9.3/8.9.0) with ESMTP id RAA08847
for <[email protected]>; Thu, 17 Feb 2000 17:12:50 +0100
Received: (from ra@localhost)
by camioneta.letras.de (8.8.7/8.8.5) id RAA29493
for [email protected]; Thu, 17 Feb 2000 17:12:50 +0100
Date: Thu, 17 Feb 2000 17:12:50 +0100
From: Ralph Angenendt <[email protected]>
To: [email protected]
Subject: Re: Problems with NeTraMet on Linux (fwd)
Message-ID: <[email protected]>
References: <[email protected]> <Pine.GSO.3.96.1000217104417.9094C-100000@da1server>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd"
Content-Disposition: inline
User-Agent: Mutt/1.1.3i
In-Reply-To: <Pine.GSO.3.96.1000217104417.9094C-100000@da1server>; from [email protected] on Thu, Feb 17, 2000 at 10:48:00AM -0500
Sender: [email protected]
Precedence: bulk

--WYTEVAkct0FjGQmd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 17, 2000 at 10:48:00AM -0500, Greg Maxwell wrote:
> On Thu, 17 Feb 2000, Ralph Angenendt wrote:
> >=20
> > Hrmpf, seems like another wasted weekend ;-)
>=20
> I'm treading lightly here as I don't want to start a flame war.
>=20
> Has anyone looked into why Linux has this behavior and what needs to be
> done to fix it? Linux *IS* open-source after all.
>=20
> Also, does anyone know if these problems still occure with recent 2.3 (or
> even recent 2.2 kernels)? =20

You might take a look at

http://www.nfr.net/nfr/mail-archive/nfr-users/1999/Feb/0110.html

which was reccomended as a reply to my initial posting. I am no
kernel hacker in any ways, but from the description given there, it
seems to be a non-trivial task to change Linux's behaviour in this
area. 2.2 doesn't do it, and I have no idea, how far anything in 2.3
is.

My systems@home are running on 2.2.14 and our systems here still run
on 2.0.38.

And there's no way you could convince me to try a hacker kernel on a
production machine ;-)

> The reason I dont just accept 'if you want to run nettramet accuratly use
> xBSD' is because we already have tons of OSes around here, adding another
> just to run a flow-meter when Linux already fits most of our other uses
> for it quite well makes no bussiness sence.

Same here. But as I have one FreeBSD box at home, I don't mind
another OS more which is running here that much.

Just my 2 cents,

Ralph
--=20
__________________________________________________________________________
Ralph Angenendt | "Military justice is to justice what military
http://www.letras.de | music is to music"
[email protected] | -- Groucho Marx

--WYTEVAkct0FjGQmd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4rB4BjB6yu/0L7eURAoFvAJ0X3jQvep00tq3Rj8GpT1Z2kGWPGACfWLzs
ctB8yd3LETGnBBf9r5g2kdY=
=n3Mc
-----END PGP SIGNATURE-----

--WYTEVAkct0FjGQmd--

From netramet-owner Fri Feb 18 07:28:53 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA04268
for netramet-outgoing; Fri, 18 Feb 2000 07:28:03 +1300 (NZDT)
Received: from mail.rdc2.bc.home.com (ha2.rdc2.bc.wave.home.com [24.2.10.69])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA04261
for <[email protected]>; Fri, 18 Feb 2000 07:27:59 +1300 (NZDT)
Received: from smp ([24.113.134.64]) by mail.rdc2.bc.home.com
(InterMail v4.01.01.00 201-229-111) with SMTP
id <20000217182749.TIAO9655.mail.rdc2.bc.home.com@smp>;
Thu, 17 Feb 2000 10:27:49 -0800
From: Dragos Ruiu <[email protected]>
Organization: kyx.net
To: Greg Maxwell <[email protected]>, Ralph Angenendt <[email protected]>
Subject: Re: Problems with NeTraMet on Linux (fwd)
Date: Thu, 17 Feb 2000 12:20:07 -0800
X-Mailer: KMail [version 1.0.28]
Content-Type: text/plain
Cc: [email protected]
References: <Pine.GSO.3.96.1000217104417.9094C-100000@da1server>
In-Reply-To: <Pine.GSO.3.96.1000217104417.9094C-100000@da1server>
MIME-Version: 1.0
Message-Id: <0002171223477R.02552@smp>
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

I'm jumping into this in the middle, but I assume you ask about
poor capture performance in Linux. AFAIK it's because of the
weakness in libpcap for linux that only copies single packets
at a time over the Kernel/User boundary. There are a number of
other alternative interfaces and patches that claim to improve this.
I can provide some references to if you like. Apologies if this
is rehash.

cheers,
--dr

On Thu, 17 Feb 2000, Greg Maxwell wrote:
> On Thu, 17 Feb 2000, Ralph Angenendt wrote:
>
> > On Wed, Feb 16, 2000 at 01:07:02PM -0800, Peter Van Epp wrote:
> > >
> > > http://www.anzen.com/research/research_perform.html
> > >
> > > which compares openBSD, BSDI, Linux and Solaris that may be of interest.
> >
> > Ah yes. Thank you (and the others who answered) very much. Looks
> > like I have to do some research if our WAN-Card is now better
> > supported under FreeBSD than it was before. Pity I can't just put
> > some machine besides our existing router to do the packet counting
> > (due to the design of our network).
> >
> > Hrmpf, seems like another wasted weekend ;-)
>
> I'm treading lightly here as I don't want to start a flame war.
>
> Has anyone looked into why Linux has this behavior and what needs to be
> done to fix it? Linux *IS* open-source after all.
>
> Also, does anyone know if these problems still occure with recent 2.3 (or
> even recent 2.2 kernels)?
>
> The reason I dont just accept 'if you want to run nettramet accuratly use
> xBSD' is because we already have tons of OSes around here, adding another
> just to run a flow-meter when Linux already fits most of our other uses
> for it quite well makes no bussiness sence.
>
> Thanks for any info.
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com

From netramet-owner Fri Feb 18 08:08:51 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA08632
for netramet-outgoing; Fri, 18 Feb 2000 08:08:26 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA08583
for <[email protected]>; Fri, 18 Feb 2000 08:08:16 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id LAA21769; Thu, 17 Feb 2000 11:08:13 -0800 (PST)
Date: Thu, 17 Feb 2000 11:08:13 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
cc: Mohd Idaham <[email protected]>, [email protected]
Subject: Re: NetFlowMet in release 4.3
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Mohd:

> Is there a way for me to capture data from CISCO NetFlow exporter using
> NeTraMet. I would like to avoid using CISCO FlowCollector and FlowAnalyzer.

As Kevin Hoadley said, NetFlowMet is part of the NeTraMet distribution.
It gets built (along with NeTraMet) in the src/meter directory.
NetFlowMet was introduced in NeTraMet v4.2 (May 1988); for some
documentation look at the doc/NeTraMet/version.history file.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (619) 822 0893 CAIDA, San Diego

From netramet-owner Tue Feb 22 00:14:05 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA19110
for netramet-outgoing; Tue, 22 Feb 2000 00:08:12 +1300 (NZDT)
Received: from andie.ip23.net (andie.ip23.net [212.83.32.23])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA19104
for <[email protected]>; Tue, 22 Feb 2000 00:08:07 +1300 (NZDT)
Received: from imap1.ip23.net (imap1.ip23.net [212.83.32.35])
by andie.ip23.net (8.9.3/8.9.3) with ESMTP id MAA19139
for <[email protected]>; Mon, 21 Feb 2000 12:07:34 +0100 (CET)
Received: from ip23.net ([email protected] [212.83.32.124])
by imap1.ip23.net (8.9.3/8.9.3) with ESMTP id MAA21844
for <[email protected]>; Mon, 21 Feb 2000 12:09:47 +0100 (CET)
Message-ID: <[email protected]>
Date: Mon, 21 Feb 2000 12:02:50 +0100
From: Lorand Bruhacs <[email protected]>
X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.13 i586)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: Re: Problems with NeTraMet on Linux (fwd)
References: <[email protected]> <Pine.GSO.3.96.1000217104417.9094C-100000@da1server> <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Ralph Angenendt wrote:
>
> On Thu, Feb 17, 2000 at 10:48:00AM -0500, Greg Maxwell wrote:
> > On Thu, 17 Feb 2000, Ralph Angenendt wrote:
> > >
> > > Hrmpf, seems like another wasted weekend ;-)
> >
> > I'm treading lightly here as I don't want to start a flame war.
> >
> > Has anyone looked into why Linux has this behavior and what needs to be
> > done to fix it? Linux *IS* open-source after all.
> >
> > Also, does anyone know if these problems still occure with recent 2.3 (or
> > even recent 2.2 kernels)?
>
> You might take a look at
>
> http://www.nfr.net/nfr/mail-archive/nfr-users/1999/Feb/0110.html
>
> which was reccomended as a reply to my initial posting. I am no
> kernel hacker in any ways, but from the description given there, it
> seems to be a non-trivial task to change Linux's behaviour in this
> area. 2.2 doesn't do it, and I have no idea, how far anything in 2.3
> is.
>
> My systems@home are running on 2.2.14 and our systems here still run
> on 2.0.38.
>
> And there's no way you could convince me to try a hacker kernel on a
> production machine ;-)
>
> > The reason I dont just accept 'if you want to run nettramet accuratly use
> > xBSD' is because we already have tons of OSes around here, adding another
> > just to run a flow-meter when Linux already fits most of our other uses
> > for it quite well makes no bussiness sence.

We would be overjoyed if Linux had accurate packet capture. Sadly,
although
in other respects it is a fine OS, it doesn't. Even though I would like
to,
I simply can't recommend it.

> Same here. But as I have one FreeBSD box at home, I don't mind
> another OS more which is running here that much.

- Lorand

--
Computer: A device to speed and automate errors
Lorand Bruhacs, Internet Engineer
IP23 Gesellschaft fuer IP-basierte Dienstleistungen mbH

From netramet-owner Tue Feb 22 18:53:12 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id SAA03791
for netramet-outgoing; Tue, 22 Feb 2000 18:52:02 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id SAA03776
for <[email protected]>; Tue, 22 Feb 2000 18:51:53 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id VAA06534; Mon, 21 Feb 2000 21:51:12 -0800 (PST)
Date: Mon, 21 Feb 2000 21:51:12 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Adam Neat <[email protected]>
cc: [email protected]
Subject: Where to get FreeBSD
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Adam:

> I havent installed BSD for years - can someone point me in the right
> direction for it so I can use neTraMet to count data?

You can download it from the FreeBSD web site, http://www.freebsd.org/

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (619) 822 0893 CAIDA, San Diego

From netramet-owner Thu Feb 24 18:10:01 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id SAA07401
for netramet-outgoing; Thu, 24 Feb 2000 18:05:22 +1300 (NZDT)
Received: from menace.csd.unb.ca (menace.csd.unb.ca [131.202.160.212])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id SAA07394
for <[email protected]>; Thu, 24 Feb 2000 18:05:18 +1300 (NZDT)
From: [email protected]
Received: from localhost (newton@localhost)
by menace.csd.unb.ca (8.9.3/8.9.3) with ESMTP id BAA11969
for <[email protected]>; Thu, 24 Feb 2000 01:05:14 -0400
X-Authentication-Warning: menace.csd.unb.ca: newton owned process doing -bs
Date: Thu, 24 Feb 2000 01:05:14 -0400 (AST)
X-Sender: [email protected]
To: [email protected]
Subject: Cant get NeTraMeT to detect any traffic.
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

I have a box, plugged into a hub with which there are two other
connections... those other two connections are two of our switches.
Conceptually, all data on our campus goes across this link, out to the
internet. For my machine, this is ETH1.

Currently, I am using 'ipaudit' to monitor flows across this link,
and processing the resulting log files with perl every 5 minutes.

The abilities of NeTraMeT seem impressive, and so I think I would
like to invesitagate moving from ipaudit to this.

However.... so far I have been unable to get it to detect any
flows across the link... (as a note, during my tests ipaudit was also
running which uses libpcap as well, and 'snort' which also uses libpcap,
both of which had no problem).

[root@menace netramet]# NeTraMet -i eth1 -wprivate
NeTraMet: Network Meter v4.3
Running on menace.csd.unb.ca, interface eth1
0101:17 ri[20]: '4', 16 rules
0101:17 ri[20]: '4', rhss = 1
0101:17 Manager 1, Current set 20
0101:17 '4' flows read by NeMaC
Statistics Zeroed

[root@menace mib]# NeMaC -c30 -r ../examples/srl/test.rules
131.202.160.212 private
01:01:17 Thu 24 Feb 2000 -- Using MIB file: mib.txt

My rules file is:

[root@menace srl]# more test.srl
define unb = (131.202/16);

call net_kind(SourcePeerAddress, SourceKind)
endcall;
call net_kind(DestPeerAddress, DestKind)
endcall;
count;

subroutine net_kind (address addr, variable net)
if addr == unb save,{ store net := 10; }
save addr/16;
store net := 30;
endsub;
set 4;
format
topdus tooctets frompdus fromoctets sourcepeertype sourcetranstype
sourcetransaddress desttransaddress sourcepeeraddre
ss destpeeraddress;
STATISTICS ;

This gives log entries like:

##NeTraMet v4.3: -c30 -r ../examples/srl/test.rules 131.202.160.212 eth1
10000 flows starting at 01:01:17 Thu 24 Feb 2000
#Format: topdus tooctets frompdus fromoctets sourcepeertype
sourcetranstype sourcetransaddress desttransaddress sourcepeeraddr
ess destpeeraddress
#Time: 01:01:17 Thu 24 Feb 2000 131.202.160.212 Flows from 0 to 795
#Ruleset: 20 4 ../examples/srl/test.rules NeMaC
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0
gci=10 rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 131.202.160.212
#Time: 01:01:30 Thu 24 Feb 2000 131.202.160.212 Flows from 794 to 2102
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0
gci=10 rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 131.202.160.212

Our campus uses the addresses 131.202.x.x... and I think I have
that coded correctly in the srl file.... I have also tested other example
rules files, no diff.

The box I am running on is linux 2.2.14, redhat 6. Anyone got any
ideas?

Chris

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Technical Analyst
Computing Services, University of New Brunswick
[email protected] 506-447-3212(voice) 506-453-3590(fax)

From netramet-owner Tue Feb 29 08:50:17 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA17923
for netramet-outgoing; Tue, 29 Feb 2000 08:44:33 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA17898
for <[email protected]>; Tue, 29 Feb 2000 08:44:26 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id LAA17616; Mon, 28 Feb 2000 11:44:19 -0800 (PST)
Date: Mon, 28 Feb 2000 11:44:19 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
cc: [email protected]
Subject: NeTramet on MS Windows
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

> From: Ong Gim Shin <[email protected]>

> Can netramet run on windows nt?

Until now the answer to this was "no-one's ported it to Windows yet."
But the last time the questin was asked on the NeTraMet list someone
commented that there was a Windows port of libpcap and tcpdump ...

Over the last few weeks I've produced a Windows port of NeTraMet,
using the WinDump packet interface and the cygwin Win32 environment.
I expect to put the Windows NeTraMet on the ftp servers for beta testing
within the next few days. I'll send an announcement note to the list.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (619) 822 0893 CAIDA, San Diego

From netramet-owner Tue Feb 29 13:08:24 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id NAA09980
for netramet-outgoing; Tue, 29 Feb 2000 13:05:45 +1300 (NZDT)
Received: from saturn.agn-consulting.com (IDENT:adamneat@[203.24.47.187])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id NAA09973
for <[email protected]>; Tue, 29 Feb 2000 13:05:40 +1300 (NZDT)
Received: from localhost (adamneat@localhost)
by saturn.agn-consulting.com (8.9.3/8.9.1) with SMTP id LAA25918
for <[email protected]>; Tue, 29 Feb 2000 11:03:53 +1100
Date: Tue, 29 Feb 2000 11:03:53 +1100 (EST)
From: Adam Neat <[email protected]>
X-Sender: adamneat@saturn
To: [email protected]
Subject: Usual place of NetraMet deployment ?
In-Reply-To: <[email protected]>
Message-ID: <Pine.LNX.3.96.1000229110011.24275E-100000@saturn>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

All,

Im curious as to where people are placing 'netramet boxes' ?

ie: In between border routers and core switches or inbetween access
routers / end routers and core switches ?

What I can see happning is conflicting copies of netramet data coming in
from various netramet boxes deployed over a national network with several
exit points and a dozen or so access points (Cisco indial ISDN, FR, DDS,
etc)

Regards

Adam