From netramet-owner Thu Mar 2 06:16:11 2000

From netramet-owner Thu Mar 2 06:16:11 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA13102
for netramet-outgoing; Thu, 2 Mar 2000 05:57:15 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA13093
for <[email protected]>; Thu, 2 Mar 2000 05:57:11 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id IAA06621 for <[email protected]>; Wed, 1 Mar 2000 08:57:05 -0800 (PST)
Date: Wed, 1 Mar 2000 08:57:05 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: Displaying NeTraMet results with a java applet
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Forwarded message to the list ..

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

---------- Forwarded message ----------
Date: Wed, 01 Mar 2000 13:32:03 +0100
To: [email protected], [email protected]
From: Henning M Larsen <[email protected]>
Subject: Displaying NeTraMet results with a java applet
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

Hi! We where just wondering if anyone knows if there are any java
source-code available to help us make an applet which can draw NeTraMet
statistics? Anyone who has worked with NeTraMet/applets before?

Henning & Randi

From netramet-owner Thu Mar 2 10:22:23 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA16191
for netramet-outgoing; Thu, 2 Mar 2000 10:18:08 +1300 (NZDT)
Received: from gallerina.lq.web.co.nz (gallerina.web.co.nz [202.37.57.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id KAA16062
for <[email protected]>; Thu, 2 Mar 2000 10:17:29 +1300 (NZDT)
Received: from gallerina.web.co.nz [202.37.57.2]
(HELO localhost)
by gallerina.lq.web.co.nz (AltaVista Mail V2.0J/2.0J BL25J listener)
id 0000_013b_38bd_88b7_995e;
Thu, 02 Mar 2000 10:16:39 +1300
Received: by scarab.lq.web.co.nz with Internet Mail Service (5.0.1458.49)
id <FFLW3MXF>; Thu, 2 Mar 2000 10:16:39 +1300
Message-ID: <[email protected]>
From: Shaun McCarthy <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: Am I missing the point entirely...
Date: Thu, 2 Mar 2000 10:16:38 +1300
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: [email protected]
Precedence: bulk

After playing around with netramet to get it working with NetFlow
(cisco) I have run into problems

What I would really like to know is the way we are doing things seems
really hacky and not ideal. *** show area of confusion

Purpose: To monitor network traffic from a range of IP's in the local
public zone to the outside world.

The rules I defined seem to work fine.. My query is more to do with
pickup.. here is the process (all command line till I get it working):

start listener / server: ./NetFlowMet -w private -D

start client: ./NeMaC -D -c600 -b../../mib/mib.txt -r
./../rules/subnet.rules -F flows/subnet -L logs/subnet serverip.co.nz
private

(scans every 10 minutes writing to a flow file)

*** What to do now? ***

at 12:00 stop server
mv flows/subnet flows/archive
start client: ./NeMaC -D -c600 -b../../mib/mib.txt -r
./../rules/subnet.rules -F flows/subnet -L logs/subnet serverip.co.nz
private

run a perl script that scans archive, gzip / tar's it, deletes it

*** Finished? ***

Any comments are welcome

=======================================================
Shaun McCarthy : Internet Consultant : The Web Limited
[email protected] : http://web.co.nz/
Level 8, 86 Lambton Quay, PO Box 15 175, Wellington NZ
Tel 04 495 8250 : Fax 04 495 8259

From netramet-owner Sat Mar 4 05:06:00 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA14782
for netramet-outgoing; Sat, 4 Mar 2000 05:01:57 +1300 (NZDT)
Received: from ferao.jungle.bt.co.uk (ferao.jungle.bt.co.uk [132.146.107.45])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA14764
for <[email protected]>; Sat, 4 Mar 2000 05:01:45 +1300 (NZDT)
Received: from sherekhan.jungle.bt.co.uk (sherekhan [132.146.107.25])
by ferao.jungle.bt.co.uk (8.9.1b+Sun/Jungle-8.9.1-03) with SMTP id PAA13496;
Fri, 3 Mar 2000 15:52:33 GMT
Received: from sma by sherekhan.jungle.bt.co.uk; Fri, 3 Mar 00 15:52:31 GMT
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 03 Mar 2000 16:05:36 +0000
To: Nevil Brownlee <[email protected]>, [email protected]
From: Marcelo Pias <[email protected]>
Subject: Re: Displaying NeTraMet results with a java applet
In-Reply-To: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: [email protected]
Precedence: bulk

Hi Henning & Randi,

I'm just using a SNMP java API... This is enough to collect data from the
meter. Once you have the meter data, it should be easy to create graphics
with java graph classes. You should find a SNMP API at www.javasoft.com or
downloand a third party one from www.adventnet.com.

Cheers. Marcelo

At 08:57 AM 3/1/00 -0800, Nevil Brownlee wrote:
>
>Forwarded message to the list ..
>
>-------------------------------------------------------------
> Nevil Brownlee Visiting Researcher
> Phone: (858) 822 0893 CAIDA, San Diego
>
>---------- Forwarded message ----------
>Date: Wed, 01 Mar 2000 13:32:03 +0100
>To: [email protected], [email protected]
>From: Henning M Larsen <[email protected]>
>Subject: Displaying NeTraMet results with a java applet
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>
>Hi! We where just wondering if anyone knows if there are any java
>source-code available to help us make an applet which can draw NeTraMet
>statistics? Anyone who has worked with NeTraMet/applets before?
>
>Henning & Randi
>
>
>
------------------------------------------------------------------------
Marcelo Pias, PhD Student(Univ.College London) funded by BT Labs.

E-mail: [email protected],
URL: http://www.cs.ucl.ac.uk/staff/M.Pias/
------------------------------------------------------------------------
Notice: This contribution is the personal view of the author and does not
necessarily reflect the technical nor commercial direction of British
Telecommunications plc.

From netramet-owner Sat Mar 4 07:26:17 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA22470
for netramet-outgoing; Sat, 4 Mar 2000 07:25:40 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA22460
for <[email protected]>; Sat, 4 Mar 2000 07:25:36 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id KAA01034; Fri, 3 Mar 2000 10:25:28 -0800 (PST)
Date: Fri, 3 Mar 2000 10:25:28 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Shaun McCarthy <[email protected]>
cc: [email protected]
Subject: Re: NeTraMet
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Shaun:

> How much information can the server (netflowmet) handle before it
> overflows due to tracking to many flows at once? We currently are moving
> about 1.5 gig a day to a lot of foreign IP's but we must monitor them
> all.

Use the -f option hen you start NeTraMet to specify the maximum number of
flows it should allocate memory for (Unix default is 10,000)
There a re two limiting factors -
* The amount of memory required (around 90 bytes/flow)
* The time and CPU cycles to find a flow in the flow table.
The hash algorithm used works very well, -f 100,000 should be OK,
and you could try even bigger values ..

> On the same as the above, new flows seem to be being created even though
> there are old flows that were the same connection (same dest/source
> trans and peer addresses), is the -i option the one to change to
> increase the life of a flow?

Yes. -i sets the meter's InactivityTime, i.e. the time (after a data
collection) NeTraMet waits before it tries to recover an inactive flow's
memory. The default is 600 (10 minutes), which seems a good guess, but
if you know your flows last longer than that (even though they have long
idle spells) you can set it higher. If you do, you'll need to specify
a higher max number of flows (meter's -f option) to hold them all!

> Is it possible to tell the client (NeMaC) which is collecting every 10
> minutes to collect once more RIGHT NOW and write out to flow file then
> die? At the moment we are losing 1 minutes worth of traffic every time I
> kill the NeMaC client ot free up its flow file so I can move it
> elsewhere.

What a conincidence! This was suggested by another user a few weeks ago,
and I've implemented it in the 4.4b6 release (in beta-versions/ on the ftp
sites). Try using that.

Another thought to consider ..

For long-term flow data collections, I use something like
./NeMaC -p -Fxyz.flow.data -Lxyz.log

This tells NeMaC to open xyz.flow.data and append new flow data to it
when reading the meter. But before it tries to open xyz.flow.data it
tests - using stat() - to see whether xyz.flow.data exists. If it
doesn't, NeMaC will create a new version of xyz.flow.data, with a proper
## header record. This allows you to have a chron job which grabs flow
data for some time interval by simply renaming xyz.flow.data to something
like xyz.data.monday, so you can build directories of flow data files for
further processing (starting by using fd_filter to compute differences
between meter readings) WITHOUT HAVING TO STOP NeMaC.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

From netramet-owner Sat Mar 4 13:17:46 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id NAA13750
for netramet-outgoing; Sat, 4 Mar 2000 13:15:26 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id NAA13709
for <[email protected]>; Sat, 4 Mar 2000 13:14:53 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id QAA12691; Fri, 3 Mar 2000 16:14:45 -0800 (PST)
Date: Fri, 3 Mar 2000 16:14:44 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
cc: [email protected]
Subject: Re: Cant get NeTraMeT to detect any traffic.
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Chris:

Sorry to be slow in replying, but I've just spent some time
lookng at your ruleset which didn't find any flows ..

> define unb = (131.202/16);
>
> call net_kind(SourcePeerAddress, SourceKind)
> endcall;
> call net_kind(DestPeerAddress, DestKind)
> endcall;
> count;
>
> subroutine net_kind (address addr, variable net)
> if addr == unb save,{ store net := 10; }
> save addr/16;
> store net := 30;
> endsub;
> set 4;
> format
> topdus tooctets frompdus fromoctets sourcepeertype sourcetranstype
> sourcetransaddress desttransaddress sourcepeeraddress destpeeraddress;
> statistics;

You've revealed a lurking trap for ruleset writers! The reason no flows
are found is that NeTraMet (the meter) tries to reduce the number of
packets it has to look at by ignoring those which the ruleset will never
look at. It does this by looking for rules which test or save Soure-
or DestPeerType. Your SRL program doesn't have any, so it (mistakenly)
decides you aren't interested in any packets at all. You can see that's
what's happening if you type 'p CR' on the meter keyboard; it responds
by displaying a list of the protocols it's currently watching.

Short-term you can fix this by adding this statement at the front of
your program ..

if SourcePeerType == IPv4 save;
else ignore;

Long-term I'll tweak the SRL compiler to add this to programs which
never refer to Source- or DestPeerType, and give a warning message like
"PeerType never tested, IPv4 assumed."

Thanks very much for your feedback.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

From netramet-owner Thu Mar 9 07:47:30 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA12425
for netramet-outgoing; Thu, 9 Mar 2000 07:44:13 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA12415
for <[email protected]>; Thu, 9 Mar 2000 07:44:09 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id KAA07409 for <[email protected]>; Wed, 8 Mar 2000 10:44:06 -0800 (PST)
Date: Wed, 8 Mar 2000 10:44:06 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: Subject: starting NeTraMet
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

---------- Forwarded message ----------
Date: Mon, 6 Mar 2000 21:32:43 +1300 (NZDT)
From: [email protected]
To: [email protected]
Subject: BOUNCE [email protected]: Non-member submission from ["Avon
Avigail Lim" <[email protected]>]

From netramet-owner Mon Mar 6 21:32:39 2000
Received: from pusit.admu.edu.ph ([208.160.249.131])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA02657
for <[email protected]>; Mon, 6 Mar 2000 21:32:36 +1300 (NZDT)
Received: from avi ([10.2.10.41])
by pusit.admu.edu.ph (8.9.3/8.9.3) with ESMTP id QAA01148
for <[email protected]>; Mon, 6 Mar 2000 16:31:51 +0800
Message-Id: <[email protected]>
From: "Avon Avigail Lim" <[email protected]>
To: <[email protected]>
Subject: starting NeTraMet
Date: Mon, 6 Mar 2000 16:35:33 -0000
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

hello.

i have been reading about NeTraMet (the .pdf files) but i still quite
don't understand.
can someone please help me out and give me and give me an overview of how
it works and how to make it work in simple terms. i'll just get the
details from the documentation. i've already installed it on a linux box
for testing but i don't know how to start it up.
thank you very much.

avi

p.s. maybe you might know of some other documentation or howto other than
the ones in the NeTraMet homepage

From netramet-owner Thu Mar 9 09:15:39 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA27326
for netramet-outgoing; Thu, 9 Mar 2000 09:15:13 +1300 (NZDT)
Received: from gallerina.lq.web.co.nz (gallerina.web.co.nz [202.37.57.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id JAA27316
for <[email protected]>; Thu, 9 Mar 2000 09:15:10 +1300 (NZDT)
Received: from gallerina.web.co.nz [202.37.57.2]
(HELO localhost)
by gallerina.lq.web.co.nz (AltaVista Mail V2.0J/2.0J BL25J listener)
id 0000_0069_38c6_b49a_5439;
Thu, 09 Mar 2000 09:14:18 +1300
Received: by scarab.lq.web.co.nz with Internet Mail Service (5.0.1458.49)
id <FFLW33PB>; Thu, 9 Mar 2000 09:14:18 +1300
Message-ID: <[email protected]>
From: Shaun McCarthy <[email protected]>
To: [email protected]
Subject: RE: Subject: starting NeTraMet
Date: Thu, 9 Mar 2000 09:14:16 +1300
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: [email protected]
Precedence: bulk

I am guessing the fact that the installation section is chp 9 leads to a
lot of confusion.. I know it confused me till I read the table of
contents.. Maybe move it to a separate document?

Shaun

-----Original Message-----
From: Nevil Brownlee [mailto:[email protected]]
Sent: Thursday, March 09, 2000 7:44 AM
To: [email protected]
Subject: Subject: starting NeTraMet

---------- Forwarded message ----------
Date: Mon, 6 Mar 2000 21:32:43 +1300 (NZDT)
From: [email protected]
To: [email protected]
Subject: BOUNCE [email protected]: Non-member submission from
["Avon
Avigail Lim" <[email protected]>]

From netramet-owner Mon Mar 6 21:32:39 2000
Received: from pusit.admu.edu.ph ([208.160.249.131])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id
VAA02657
for <[email protected]>; Mon, 6 Mar 2000 21:32:36 +1300
(NZDT)
Received: from avi ([10.2.10.41])
by pusit.admu.edu.ph (8.9.3/8.9.3) with ESMTP id QAA01148
for <[email protected]>; Mon, 6 Mar 2000 16:31:51 +0800
Message-Id: <[email protected]>
From: "Avon Avigail Lim" <[email protected]>
To: <[email protected]>
Subject: starting NeTraMet
Date: Mon, 6 Mar 2000 16:35:33 -0000
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

hello.

i have been reading about NeTraMet (the .pdf files) but i still quite
don't understand.
can someone please help me out and give me and give me an overview of
how
it works and how to make it work in simple terms. i'll just get the
details from the documentation. i've already installed it on a linux
box
for testing but i don't know how to start it up.
thank you very much.

avi

p.s. maybe you might know of some other documentation or howto other
than
the ones in the NeTraMet homepage

From netramet-owner Thu Mar 9 10:56:39 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA18312
for netramet-outgoing; Thu, 9 Mar 2000 10:55:30 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA18276
for <[email protected]>; Thu, 9 Mar 2000 10:55:23 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id NAA13426; Wed, 8 Mar 2000 13:55:10 -0800 (PST)
Date: Wed, 8 Mar 2000 13:55:10 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Shaun McCarthy <[email protected]>
cc: [email protected]
Subject: RE: Subject: starting NeTraMet
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Thu, 9 Mar 2000, Shaun McCarthy wrote:

> I am guessing the fact that the installation section is chp 9 leads to a
> lot of confusion.. I know it confused me till I read the table of
> contents.. Maybe move it to a separate document?

Hello all:

For a long time now I've been saying I'll produce a new document on
"Getting Started with NeTraMet." This would be the separate document
Shaun suggests. So far I have a fairly large collection of bits of text
from emails answering questions about NeTraMet. Here's one which I hope
will help with 'getting started' ...

> The easiest way to get started is probably -
> * start the meter on host x.y.z
> NeTraMet -w write-com-name
> * have a look at the example rulesets in examples/srl (might be a
> good idea to read through the SRL manual first, detailed
> descriptions of the attributes and their values is in the NeTraMet
> Users' Manual)
> * compile your chosen example (nifty.srl could be a good one, but
> you might need to uncomment the format lines in it)
> srl nifty.srl
> This produces nifty.rules.
> * start one of the managers on another host (or on x.y.z, if that's
> easier)
> nm_rc -c60 -r nifty.rules x.y.z write-com-name
> nm_rc downloads the ruleset, then gets the flow data and displays
> the 'top 10' flows by writing them to the concole.
>
> Once you have a feeling for the various programs and how they interact,
> you can decide what flow data you actually want to gather, and write
> your own ruleset(s). Then you can develop cron jobs and data reduction
> scripts, etc, etc.

Do we need to start with an 'overall view' describing traffic flows,
meters, meter readers and managers (i.e. introducing the RTFM traffic
measurement architecture)?

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

From netramet-owner Thu Mar 9 14:29:24 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id OAA29114
for netramet-outgoing; Thu, 9 Mar 2000 14:28:31 +1300 (NZDT)
Received: from blackbird.cir.nus.edu.sg (blackbird.cir.nus.edu.sg [137.132.19.146])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id OAA29099
for <[email protected]>; Thu, 9 Mar 2000 14:28:25 +1300 (NZDT)
Received: (qmail 29581 invoked from network); 9 Mar 2000 01:29:27 -0000
Received: from localhost (HELO localhost-smtp.localdomain) (127.0.0.1)
by localhost with SMTP; 9 Mar 2000 01:29:27 -0000
Date: Thu, 9 Mar 2000 09:28:31 +0800 (SGT)
From: Lai Zit Seng <[email protected]>
X-Sender: [email protected]
To: Nevil Brownlee <[email protected]>
cc: Shaun McCarthy <[email protected]>, [email protected]
Subject: RE: Subject: starting NeTraMet
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Wed, 8 Mar 2000, Nevil Brownlee wrote:

> Do we need to start with an 'overall view' describing traffic flows,
> meters, meter readers and managers (i.e. introducing the RTFM traffic
> measurement architecture)?

I think the "Getting started" guide can start off with the section you
suggested. A possible improvement would be to just pick one specific rule
(eg, count traffic by protocol type) so that newbies don't have to sit
there thinking "hmm which one should I choose, can immediately see some
numbers coming in, and you can desrcibe to them what the numbers they are
seeing mean :)

Then in the next section tell them what is it that is happening with the
steps they did in the "Quick start" section. Eg, how the meter collected
the flows, how the meter readers got the data, etc.

I must admit that I was also initially slightly overwhelmed by the "many"
components in NeTraMet, having previously collected statistics using just
simply tcpdump output piped to a Perl script :P But once I had a working
setup, it all seems quite straight-forward :)

Regards,

lzs

From netramet-owner Tue Mar 14 10:16:34 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA25838
for netramet-outgoing; Tue, 14 Mar 2000 10:11:36 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA25803
for <[email protected]>; Tue, 14 Mar 2000 10:11:26 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id NAA05124 for <[email protected]>; Mon, 13 Mar 2000 13:11:23 -0800 (PST)
Date: Mon, 13 Mar 2000 13:11:23 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: Windows NeTraMet beta available
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello all:

A windows version of NeTraMet is now available for testing; it's at

ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet/beta-versions/MSW_NTM44b6.zip

This zip file contains Windiws binary versions of NeTraMet, NeMaC,
nm_rc and srl, along with a very simple 'starter' ruleset (in SRL).

Make a directory for it, unzip it into that directory, and
read the README and INSTALL files ...

I will release the source files which support the Windows NeTraMet
in a few weeks, however I still have some tidying-up of the code to do
just yet.

If you try out the Windows NeTraMet, do please send me (and/or this
list) any comments, suggestions, bug reports, etc.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

From netramet-owner Fri Mar 17 10:35:09 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA14125
for netramet-outgoing; Fri, 17 Mar 2000 10:28:53 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA14086
for <[email protected]>; Fri, 17 Mar 2000 10:28:41 +1300 (NZDT)
Received: from localhost (nevil@localhost) by caida.org (8.8.8/8.7.3) with ESMTP id NAA11989; Thu, 16 Mar 2000 13:28:31 -0800 (PST)
Date: Thu, 16 Mar 2000 13:28:31 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Carsten Schmoll <[email protected]>
cc: [email protected]
Subject: Bug in SRL compiler V4.2.1
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Carsten:

Thanks for your bug report (appended below). I've extracted yoiur
two patch files and will put them into the next release (44b7).

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Visiting Researcher
Phone: (858) 822 0893 CAIDA, San Diego

> Date: Wed, 15 Mar 2000 15:50:29 +0100 (MET)
> From: Carsten Schmoll <[email protected]>
> X-Sender: phoenix@curie
> To: [email protected]
> Subject: bug in SRL compiler V4.2.1
>
>
> Hello!
>
> I tried to compile a large SRL file ( >> 100 rules ) to .rules
> and the compiler states that its internal structures are not
> large enough to handle this srl-file.
>
> After I increased the values of IDTHASHBASE, IDTTOFLOWS,
> LBLTHASHBASE and LBLTOFLOWS, the compiler complained
> about missing symbols. I found out that the wrong
> constant is used to define LBLTHASHMASK and LBLTSIZE in srl.h.
> In the original srl compiler all works well because
> IDTHASHBASE and LBLTHASHBASE have the same value.
>
> To make a long story short :
>
> I've included the two patch files for srl.h and srl_emit.c.
> * srl.h.diff fixes the bug in line 351,352 and increases the
> sizes for srl's internal tables (only needed for compilation
> of very large rule files)
> * srl_emit.c.diff changes the hash-function (which generates
> the hash key value) to make profit of the larger hash tables
>
> regards,
> Carsten Schmoll.
>