From netramet-owner Thu May 4 03:12:08 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA25904
for netramet-outgoing; Thu, 4 May 2000 03:05:56 +1200 (NZST)
Received: from ns.big-netz.de (ns.big-netz.de [195.126.133.130])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA25896
for <
[email protected]>; Thu, 4 May 2000 03:05:50 +1200 (NZST)
Received: from inside-gmbh.com ([10.100.130.2])
by ns.big-netz.de (8.9.3/8.9.3) with ESMTP id PAA28233
for <
[email protected]>; Wed, 3 May 2000 15:05:45 GMT
Message-ID: <
[email protected]>
Date: Wed, 03 May 2000 17:06:00 +0200
From: "Robert S." <
[email protected]>
Organization: insIDe
X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.2.12-20 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To:
[email protected]
Subject: forcing collections
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Dear NeTraMet users!
I'm working on a GUI environment based on analysis of NeMaC logfiles.
There was still something I missed.
Sometimes I wanted NeMaC to collect the flows *right now* regardless
how much it would take till the next collection.
So I patched the nmc.c (NeMaC source) to let it work.
I used the HUP signal for this purpose.
Maybe You have an idea, which signal we should use instead.
Now when I send kill -HUP pid_of_nemac, NeMaC collects the flows
of all meters and sleeps again...
see the code below...
Nevil, is it something worth beeing implemented in the next version ??
happy metering :-)
Robert
--
Robert Strycharczuk Inside GmbH, Germany
________________________________________________
/* original defs , see line 180 of nmc.c v4.4.b6 */
int request_stop = 0;
int request_rollover = 0;
/* if set to 1 by sighup_handler, NeMaC will collect *right now* */
int request_monitor_now = 0;
void sighup_handler(int x) /* kill -HUP */
{
request_monitor_now = 1;
}
[...]
/* line 600 in main(), here the other handlers are defined, too */
signal(SIGHUP, sighup_handler);
[...]
/* now we have the handlers, but we have to
checkt the value of request_monitor_now
within the main-loop */
/* see line 1050 of nmc.c main() */
for (;;) { /* Main event loop */
[...]
/* still original code */
if (!request_stop && !request_rollover && stat(FLAGFILE,&stat_buf) !=
0
&& calendar->next_event > t1) sleep(calendar->next_event-t1);
/* here is the new code for collecting flows right NOW !*/
if (request_monitor_now) {
for (ms = first_meter; ms; ms = ms->next) {
if (ms->status & MT_MANAGE) monitor(ms);
}
request_monitor_now=0;
time(&t1);
if (calendar->next_event > t1)
sleep(calendar->next_event-t1); /* sleep till the next event */
}
/* here it goes on with the original code again*/
if (request_rollover || stat(FLAGFILE,&stat_buf) == 0) {
[...]
so that's it.
From netramet-owner Fri May 19 19:26:33 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id TAA18647
for netramet-outgoing; Fri, 19 May 2000 19:19:48 +1200 (NZST)
Received: from plaudertasch.big-netz.de (plaudertasch.big-netz.de [195.126.133.132])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id TAA18639
for <
[email protected]>; Fri, 19 May 2000 19:19:41 +1200 (NZST)
Received: from [10.100.130.2] (helo=inside-gmbh.com)
by plaudertasch.big-netz.de with esmtp (Exim 3.13 #1)
id 12sh4H-0002MX-00
for
[email protected]; Fri, 19 May 2000 09:19:33 +0200
Message-ID: <
[email protected]>
Date: Fri, 19 May 2000 09:19:51 +0200
From: Robert Strycharczuk <
[email protected]>
Organization: insIDe
X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.2.12-20 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: netramet list <
[email protected]>
Subject: one meter, one flowtable, many readers
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Dear NeTraMet users,
as we know NeTraMet supports a system of multiple meter readers.
But I was not able to figure out, how to install one single ruleset
beeing read by many readers.
I would like to use the following scenario:
- one meter metering the _complete_ traffic using one single ruleset,
a generic IP-ruleset, I've written already - it works fine :-) )
-many readers, all reading the __same__ flowtable
(many means in this case 2-5 maybe more...)
the second point is needed, cause otherwise too many
ressources would be wasted by the meter, when metering
the same traffic using the same ruleset, but storing
the same data in more than one flow table. This happens
when I start NeMaC on different machines and download
the same ruleset to the particular meter...
Do You know, how to get this scenario work ???
thanks in advance
Robert
From netramet-owner Tue May 23 13:01:43 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA23121
for netramet-outgoing; Tue, 23 May 2000 12:52:15 +1200 (NZST)
Received: from lt.itss.auckland.ac.nz (bluebottle.itss.auckland.ac.nz [130.216.4.28])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA23060;
Tue, 23 May 2000 12:51:52 +1200 (NZST)
From: Nevil Brownlee <
[email protected]>
Date: Tue, 23 May 2000 12:57:23 +0000
To: Robert Strycharczuk <
[email protected]>
Subject: Re: one meter, one flowtable, many readers
Cc:
[email protected]
In-Reply-To: <
[email protected]>
References: <
[email protected]>
Message-ID: <
[email protected]>
Priority: NORMAL
X-Mailer: Execmail for Linux 5.1 Build (9)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Sender:
[email protected]
Precedence: bulk
Hello Robert:
> - one meter metering the _complete_ traffic using one single ruleset,
> a generic IP-ruleset, I've written already - it works fine :-) )
> -many readers, all reading the __same__ flowtable
> (many means in this case 2-5 maybe more...)
>
> Do You know, how to get this scenario work ???
You do this using NeMaC's -w option, like this:
a) Start NeMaC to get the master ruleset running -
./NeMaC -c0 -r master.rules host wr_comm master
-c0 says "download ruleset, don't read flow data"
b) Start various copies of NeMaC to read the data you want
./NeMaC -c30 -w2 -r slave1.rules host wr_comm slave1
Notice the owner names (last item on each command line) are
different for the various instances of NeMaC; that's what
NeTraMet uses to distinguish the different managers.
Next, it's the -w2 which tells NeMaC it should use a ruleset
which is already on the meter. But you have to tell NeMaC
which ruleset that is, using it's ruleset name, i.e. the
identifier following 'set' in an SRL 'set' statement. I've
modified srl and NeMaC to allow the ruleset name to be an
identifier (max 16 characters) rather than just an integer.
So your master ruleset (master.rules) is the one which actually
has the ruleset in it; it needn't have a format statement
but it *must* have a set statement. And your slave rulesets
don't have rulesets in them, just set and format statements.
When I tested this I found some bugs in NeMaC's implementation
of the -w option, these are fixed in the 44b7 release, which I've
just put up in the beta-versions directory.
Do please try this out and let me know whether it does what
you wanted.
Cheers, Nevil
+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------L
From netramet-owner Wed May 24 01:29:04 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA16020
for netramet-outgoing; Wed, 24 May 2000 01:27:40 +1200 (NZST)
Received: from va.com.au (va.com.au [203.15.106.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA16014
for <
[email protected]>; Wed, 24 May 2000 01:27:37 +1200 (NZST)
Received: from [1.1.1.6] (203.108.18.140) by va.com.au with ESMTP (Eudora
Internet Mail Server 2.2); Tue, 23 May 2000 22:57:35 +0930
Mime-Version: 1.0
X-Sender:
[email protected]
Message-Id: <a04310102b5503665cc46@[1.1.1.6]>
In-Reply-To: <v0420550ab530a85308a0@[1.1.1.3]>
References: <
[email protected]>
<v0420550ab530a85308a0@[1.1.1.3]>
Date: Tue, 23 May 2000 23:22:35 +1000
To:
[email protected]
From: Jesse Reynolds <
[email protected]>
Subject: NeTraMet on OpenBSD?
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender:
[email protected]
Precedence: bulk
Okay, can I try a simpler question?
Has NeTraMet ever been run on OpenBSD?
cheers
jesse
At 12:58 AM +1000 30/4/00, Jesse Reynolds wrote:
>Hi Folx
>
>I'm wondering if it's recommended to run NeTraMet on the same box as
>IPFilter, with IPFilter being a choke router (two or three ethernet
>interfaces, routing for a web hosting ISP).
>
>I currently have IPFilter running on OpenBSD on a celeron 433 box as
>our main border gateway. I'd love to run NeTraMet on this box as
>well, to analyse our bandwidth for purposes of working out which
>services are costing us the most bandwidth etc....
>
>Has anyone done this, or sililar? Are these two things likely to
>work well together?
>
>cheers
>
>jesse
>
>
>--
> Jesse Reynolds - Virtual Artists Pty Ltd -
http://www.va.com.au
> Email: jesse (at) va.com.au -
http://virtual.artists
--
--
Jesse Reynolds - Virtual Artists Pty Ltd -
http://www.va.com.au
Email: jesse (at) va.com.au -
http://virtual.artists
From netramet-owner Wed May 24 05:56:04 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA26756
for netramet-outgoing; Wed, 24 May 2000 05:55:13 +1200 (NZST)
Received: from andie.ip23.net (andie.ip23.net [212.83.32.23])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA26750
for <
[email protected]>; Wed, 24 May 2000 05:55:08 +1200 (NZST)
Received: from imap1.ip23.net (imap1.ip23.net [212.83.32.35])
by andie.ip23.net (8.9.3/8.9.3) with ESMTP id TAA94728;
Tue, 23 May 2000 19:54:36 +0200 (CEST)
Received: from ip23.net (
[email protected] [212.83.32.71])
by imap1.ip23.net (8.9.3/8.9.3) with ESMTP id UAA11025;
Tue, 23 May 2000 20:04:06 +0200 (CEST)
Message-ID: <
[email protected]>
Date: Tue, 23 May 2000 19:46:19 +0200
From: Markus Fix <
[email protected]>
Reply-To:
[email protected]
Organization: IP23 GmbH
X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.13 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Jesse Reynolds <
[email protected]>
CC:
[email protected]
Subject: Re: NeTraMet on OpenBSD?
References: <
[email protected]>
<v0420550ab530a85308a0@[1.1.1.3]> <a04310102b5503665cc46@[1.1.1.6]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Jesse Reynolds wrote:
>
> Okay, can I try a simpler question?
>
> Has NeTraMet ever been run on OpenBSD?
>
Yes, we did evaluate it with OpenBSD. It does work, although
it's not a straitforward port.
-fix
> cheers
>
> jesse
>
> At 12:58 AM +1000 30/4/00, Jesse Reynolds wrote:
> >Hi Folx
> >
> >I'm wondering if it's recommended to run NeTraMet on the same box as
> >IPFilter, with IPFilter being a choke router (two or three ethernet
> >interfaces, routing for a web hosting ISP).
> >
> >I currently have IPFilter running on OpenBSD on a celeron 433 box as
> >our main border gateway. I'd love to run NeTraMet on this box as
> >well, to analyse our bandwidth for purposes of working out which
> >services are costing us the most bandwidth etc....
> >
> >Has anyone done this, or sililar? Are these two things likely to
> >work well together?
> >
> >cheers
> >
> >jesse
> >
> >
> >--
> > Jesse Reynolds - Virtual Artists Pty Ltd -
http://www.va.com.au
> > Email: jesse (at) va.com.au -
http://virtual.artists
>
> --
>
> --
> Jesse Reynolds - Virtual Artists Pty Ltd -
http://www.va.com.au
> Email: jesse (at) va.com.au -
http://virtual.artists
--
Markus Fix (general manager) IP23 GmbH
[email protected] http://www.ip23.net Daimlerstrasse 31
Phone: +49.69.408999.10 Fax: .40 60314 Frankfurt/Germany
1D D8 66 43 2A 84 C6 53 96 DE FE 3E E4 A1 1D EC 2B F0 41 16
From netramet-owner Wed May 24 19:44:54 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id TAA20215
for netramet-outgoing; Wed, 24 May 2000 19:38:44 +1200 (NZST)
Received: from va.com.au (va.com.au [203.15.106.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id TAA20207
for <
[email protected]>; Wed, 24 May 2000 19:38:40 +1200 (NZST)
Received: from [1.1.1.6] (203.108.18.140) by va.com.au with ESMTP (Eudora
Internet Mail Server 2.2); Wed, 24 May 2000 17:08:27 +0930
Mime-Version: 1.0
X-Sender:
[email protected]
Message-Id: <a04310101b551331660da@[1.1.1.6]>
In-Reply-To: <
[email protected]>
References: <
[email protected]>
<v0420550ab530a85308a0@[1.1.1.3]> <a04310102b5503665cc46@[1.1.1.6]>
<
[email protected]>
Date: Wed, 24 May 2000 17:21:19 +1000
To:
[email protected]
From: Jesse Reynolds <
[email protected]>
Subject: Re: NeTraMet on OpenBSD?
Cc:
[email protected]
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender:
[email protected]
Precedence: bulk
At 7:46 PM +0200 23/5/00, Markus Fix wrote:
>Jesse Reynolds wrote:
>>
>> Okay, can I try a simpler question?
>>
>> Has NeTraMet ever been run on OpenBSD?
>>
>
>
>Yes, we did evaluate it with OpenBSD. It does work, although
>it's not a straitforward port.
Hmm. Sounds difficult. Are there any pointers written down anywhere?
What is difficult about the process... does it not compile unless you
alter the code or something? (In which case I'm stuffed as I don't
know C)
cheers
jesse
--
--
Jesse Reynolds - Virtual Artists Pty Ltd -
http://www.va.com.au
Email: jesse (at) va.com.au -
http://virtual.artists
From netramet-owner Sat May 27 03:34:12 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA05510
for netramet-outgoing; Sat, 27 May 2000 03:30:52 +1200 (NZST)
Received: from mail.gorge.net (mail.gorge.net [205.162.195.4])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA05503
for <
[email protected]>; Sat, 27 May 2000 03:30:49 +1200 (NZST)
Received: from laptop ([206.163.94.76]) by mail.gorge.net
(Post.Office MTA v3.5.3 release 223 ID# 0-65083U9000L900S0V35)
with SMTP id net for <
[email protected]>;
Fri, 26 May 2000 08:21:50 -0700
From: "steve elder" <
[email protected]>
To: "Netramet" <
[email protected]>
Subject: Ruleset archive
Date: Fri, 26 May 2000 08:29:27 -0700
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Importance: Normal
Sender:
[email protected]
Precedence: bulk
Does anyone know of a common ruleset archive other than the examples
directory?
Steve Elder
Senior Network Engineer, DSi
From netramet-owner Tue May 30 04:28:19 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA22316
for netramet-outgoing; Tue, 30 May 2000 04:22:27 +1200 (NZST)
Received: from hotmail.com (f296.law7.hotmail.com [216.33.236.174])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id EAA22311
for <
[email protected]>; Tue, 30 May 2000 04:22:23 +1200 (NZST)
Received: (qmail 7229 invoked by uid 0); 29 May 2000 16:21:51 -0000
Message-ID: <
[email protected]>
Received: from 202.43.193.102 by www.hotmail.com with HTTP;
Mon, 29 May 2000 09:21:51 PDT
X-Originating-IP: [202.43.193.102]
From: "Benjamin Lagunilla" <
[email protected]>
To:
[email protected]
Subject: getting cisco netflows properly
Date: Tue, 30 May 2000 00:21:51 PHT
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Sender:
[email protected]
Precedence: bulk
Hello,
I am using NetFlowMet to gather cisco netflow statistics. What I want
to do is capture and do statistics gathering every 5 minutes. Only the
network traffic for 5 minutes should be captured/gathered.
I don't think I am doing it right. At times, the gathered data suggests
a utilization that exceeds the bandwidth. My problem may lie in properly
expiring flows. When does cisco export flows? Does it also "accumulate"
data for a particular flow longer than 5 minutes? In which case, I really
cannot solve the problem via proper NetFlowMet and/or NeMaC configuration.
Any suggestions how I could accurately get network data for intervals of
5 minutes? Or is it not possible at all?
Thanks.
-- Ben
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
From netramet-owner Tue May 30 17:18:01 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id RAA08241
for netramet-outgoing; Tue, 30 May 2000 17:16:06 +1200 (NZST)
Received: from lemon.office.netlink.net.nz (lemon.office.netlink.net.nz [203.97.244.37])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id RAA08233
for <
[email protected]>; Tue, 30 May 2000 17:16:03 +1200 (NZST)
Received: from netlink.net.nz (bamboo.office.netlink.net.nz [203.97.244.25])
by lemon.office.netlink.net.nz (8.10.1/8.10.1) with ESMTP id e4U5FWP05996
for <
[email protected]>; Tue, 30 May 2000 17:15:32 +1200 (NZST)
Message-ID: <
[email protected]>
Date: Tue, 30 May 2000 17:15:32 +1200
From: Dylan Hall <
[email protected]>
Organization: Netlink Ltd
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14 i686)
X-Accept-Language: en
MIME-Version: 1.0
To:
[email protected]
Subject: Problem with '-l' on NeTraMet
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Has anyone else observed problems with the -l flag on NeTraMet?
More precisely, I was comparing the output of tcpdump with
NeTraMet and I was getting a 14ish byte per packet difference,
after a little reading I concluded that it was because NeTraMet
was counting the MAC headers aswell as the IP packet. I added
the -l flag to NeTraMet but it doesn't appear to have made any
difference.
I'm using RedHat Linux 6.2 on a PII-400. I was initially using
the pre-compiled Linux binaries (NeTraMet v4.3). I am now using
a version I compiled myself. I had some problems compiling the
binaries, if I use the libpcap RPM that comes with RH6.2 the
resulting NeTraMet doesn't seem to work. It runs fine but seems
to use 0% CPU and NeMaC produces empty flow files. I remove this
version of libpcap (libpcap-0.4-19.i386.rpm) and installed libpcap
from source. This seems to have fixed the compiling problem.
Any idea?
Thanx
Dylan Hall
Network Engineer
Netlink - A Telstra Saturn Company
From netramet-owner Wed May 31 00:48:17 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA01193
for netramet-outgoing; Wed, 31 May 2000 00:47:10 +1200 (NZST)
Received: from ncrottchoexint9.navcanada.ca (nc2.navcanada.ca [204.191.53.162])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA01188
for <
[email protected]>; Wed, 31 May 2000 00:47:07 +1200 (NZST)
Received: from thewall (172.20.7.145 [172.20.7.145]) by ncrottchoexint9.navcanada.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
id KLJWJLKC; Tue, 30 May 2000 08:55:09 -0400
Received: from gatewayserver2 ([172.20.7.149]) by thewall.navcanada.ca; Tue, 30 May 2000 06:49:06 +0000 (EST)
Received: from SMTP (NCROTTCHOOUSCAN [172.20.7.147]) by ncrottchoexin5.navcanada.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
id LQA6KKLB; Tue, 30 May 2000 08:49:06 -0400
Received: from ncrottchoexint1.navcanada.ca ([172.20.1.15]) by 172.20.7.147
(Norton AntiVirus for Internet Email Gateways 1.0) ;
Tue, 30 May 2000 13:00:01 0000 (GMT)
Received: by ncrottchoexint1.navcanada.ca with Internet Mail Service (5.5.2650.21)
id <LP0M968R>; Tue, 30 May 2000 08:49:04 -0400
Message-ID: <8D6E89A27490D21190240008C75D92BFDA1FD9@ncrotttscexusr1.navcanada.ca>
From: "Lu, Mark" <
[email protected]>
To: NeTraMet mailing list <
[email protected]>
Subject: RFC2724 (NEW_ATR TCP_ATR) supported yet?
Date: Tue, 30 May 2000 08:49:08 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFCA35.6F4E4F46"
Sender:
[email protected]
Precedence: bulk
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFCA35.6F4E4F46
Content-Type: text/plain;
charset="iso-8859-1"
Are the new attributes described in RFC2724 supported yet?
I see there is NEW_ATR and TCP_ATR in the source code, but
do I need a new mib file to use this? or do I just browse the mib with
openview?
I am particularly interested in "bucket" bit-rate stats for aggregate
one-way flows
to help us when ordering CIR values in public Frame Relay networks.
Thanks
------_=_NextPart_001_01BFCA35.6F4E4F46
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>RFC2724 (NEW_ATR TCP_ATR) supported yet?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">Are the new attributes described in RFC2724 supported yet?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I see there is NEW_ATR and TCP_ATR in the source code, but </FONT>
<BR><FONT SIZE=2 FACE="Arial">do I need a new mib file to use this? or do I just browse the mib with</FONT>
<BR><FONT SIZE=2 FACE="Arial">openview?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I am particularly interested in "bucket" bit-rate stats for aggregate one-way flows </FONT>
<BR><FONT SIZE=2 FACE="Arial">to help us when ordering CIR values in public Frame Relay networks.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Thanks</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BFCA35.6F4E4F46--
From netramet-owner Wed May 31 05:02:15 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA10704
for netramet-outgoing; Wed, 31 May 2000 04:59:31 +1200 (NZST)
Received: from mail.gorge.net (mail.gorge.net [205.162.195.4])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA10696
for <
[email protected]>; Wed, 31 May 2000 04:59:25 +1200 (NZST)
Received: from laptop ([206.163.94.161]) by mail.gorge.net
(Post.Office MTA v3.5.3 release 223 ID# 0-65083U9000L900S0V35)
with SMTP id net for <
[email protected]>;
Tue, 30 May 2000 09:48:21 -0700
From: "s" <
[email protected]>
To: "Netramet" <
[email protected]>
Subject: Redhat linux, Libpcap and empty flows
Date: Tue, 30 May 2000 09:56:14 -0700
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <
[email protected]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Importance: Normal
Sender:
[email protected]
Precedence: bulk
Folks,
I just ran into a libpcap incompatibility problem using Redhat 6.1, Ethereal
packet analyzer and Netramet. The symptoms are that NeTraMet and NeMac seem
to be able to talk to each other but don't actually "SEE" any packets,
producing empty flow files.
I had originally installed a patched version of libpcap at the behest of the
Ethereal web page, apparently there is a bug in the stock Redhat libpcap
implementation that hangs Ethereal. Then after installing NeTraMet and
getting nothing but empty flows, I finally removed libpcap altogether and
recompiled the "official" version from ftp.ee.lbl.gov. After that NeTraMet
has been working perfectly and Ethereal also seems to be ok.
So the upshot is that NeTraMet may require a "stock" version of lbl's
libpcap to run.
Thanks,
Steve Elder
-----Original Message-----
From:
[email protected]
[mailto:
[email protected]]On Behalf Of Dylan Hall
Sent: Monday, May 29, 2000 10:16 PM
To:
[email protected]
Subject: Problem with '-l' on NeTraMet
Has anyone else observed problems with the -l flag on NeTraMet?
More precisely, I was comparing the output of tcpdump with
NeTraMet and I was getting a 14ish byte per packet difference,
after a little reading I concluded that it was because NeTraMet
was counting the MAC headers aswell as the IP packet. I added
the -l flag to NeTraMet but it doesn't appear to have made any
difference.
I'm using RedHat Linux 6.2 on a PII-400. I was initially using
the pre-compiled Linux binaries (NeTraMet v4.3). I am now using
a version I compiled myself. I had some problems compiling the
binaries, if I use the libpcap RPM that comes with RH6.2 the
resulting NeTraMet doesn't seem to work. It runs fine but seems
to use 0% CPU and NeMaC produces empty flow files. I remove this
version of libpcap (libpcap-0.4-19.i386.rpm) and installed libpcap
from source. This seems to have fixed the compiling problem.
Any idea?
Thanx
Dylan Hall
Network Engineer
Netlink - A Telstra Saturn Company
From netramet-owner Wed May 31 05:02:15 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA10667
for netramet-outgoing; Wed, 31 May 2000 04:58:32 +1200 (NZST)
Received: from compaq-nb.caida.org (bluebottle.itss.auckland.ac.nz [130.216.4.28])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id EAA10648;
Wed, 31 May 2000 04:58:18 +1200 (NZST)
From: Nevil Brownlee <
[email protected]>
To: "Lu, Mark" <
[email protected]>
Cc: NeTraMet mailing list <
[email protected]>
Subject: Re: RFC2724 (NEW_ATR TCP_ATR) supported yet?
Message-ID: <
[email protected]>
Date: Wed, 31 May 2000 06:03:43 +1300 (DST)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.5 Build (43)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender:
[email protected]
Precedence: bulk
Hello Mark:
> Are the new attributes described in RFC2724 supported yet?
Yes. I've appended a note below telling you how to use them.
> I see there is NEW_ATR and TCP_ATR in the source code, but
> do I need a new mib file to use this? or do I just browse the mib with
> openview?
The NeTraMet release is distributed with both NEW_ATR and TCP_ATR
set, so the new attributes are available by default.
You don't need a new mib, just go on using mib.txt from the NeTraMet
distribution. At this stage we haven't made changes to bring the
new attributes explicitly into the MIB, so the distributions are
brought back as BER sequences within a flow data package. OpenView
will be able to see them, but if you do it that way you'll have to
bring back a data package containing the bit-rate attributes
you want.
> I am particularly interested in "bucket" bit-rate stats for aggregate
> one-way flows
> to help us when ordering CIR values in public Frame Relay networks.
We've used 10-second bit rates for this for about two years now.
I suggest you start by trying a ruleset to get frombitrate and
tobitrate, using SRL statements like these to build the bitrate
distributions:
save ToBitRate = 100.10.0!0 & 1.3.1!2000;
save FromBitRate = 100.10.0!0 & 1.3.1!2000;
# 100 buckets, 10s intervals, linear scale, 10**3 => 1 .. 2000 kbps
Then have a look at the flow data file written by NeMaC.
Please let me know how you get on with this.
Cheers, Nevil
+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------C
----------------- copy of email from 11 Oct 99 -------------------
Hello Rohit:
> If somebody has already done it , can you tell me the procedure of
> how to integrate distributed valued objects in NetraMet and calculate
> packet size distribution and inter arrival time ?
Here is a sample ruleset:
define MYNET = 130.216/16; # The network you want a distribution for
if SourcePeerType == IP save;
else ignore;
if SourcePeerAddress == MYNET save, {
save FromPacketSize = 100.0.0!0 & 1.0.1!1520;
save ToPacketSize = 100.0.0!0 & 1.0.1!1520;
# 100 buckets, linear scale, 10**0 => 1 .. 1520
# save ToTurnaroundTime = 100.0.0!0 & 2.3.140!740;
# 100 buckets, log scale, 10**3 => 140..740 ms
count;
}
set 7;
format
FlowRuleSet FlowIndex FirstTime SourcePeerType
" " ToPDUs ToOctets " " FromPDUs FromOctets
# SourcePeerAddress DestPeerAddress
" (" FromPacketSize
") (" ToPacketSize ")";
The fields in the address (i.e. the value & mask fields) are:
Mask bytes:
1 Transform 1 = linear, 2 = logarithmic
2 Scale Factor Power of 10 multiplier for Limits
and Counts
3-4 Lower Limit Highest value for first bucket
5-6 Upper Limit Highest value for last bucket
Value bytes:
1 Buckets Number of buckets. Does not include
the 'overflow' bucket
2 Parameter-1 } Parameter use depends
3-4 Parameter-2 } on distribution-valued
5-6 Parameter-3 } attribute
The list of distribution-valued attributes is the one given in the New
Attributes Internet Draft. (I find ToBitRate and FromBitRate very
useful).
-------------------------------------------------------------------
When you run the ruleset given above, NeMaC produces a flow data records
like this:
#Time: 15:58:00 Mon 11 Oct 1999 k-meter.itss Flows from 73686 to 78897
10 8822 36573680 1 12724 2975854 13172 6824801 (1 0 1 1520 100 0 0 0 0 0 0
0 4599 417 220 363 639 235 162 114 103 119 64 54 47 34 22 35 46 24 407 58 16 21
45 58 34 253 63 16 46 43 12 73 10 384 17 414 15 190 38 18 22 14 7 14 11 12 15
14 8 191 11 14 7 7 11 9 5 9 59 10 4 5 9 5 10 9 12 17 6 5 19 15 7 5 8 8 15 63 14
8 7 9 5 8 12 11 8 7 7 10 10 3 139 7 16 2691 0) (1 0 1 1520 100 0 0 0 0 0 0 0
7070 571 337 499 559 349 205 59 24 60 16 11 74 26 15 20 31 44 26 20 40 28 34 4
2 54 47 54 49 39 75 33 80 67 305 47 753 15 25 12 20 8 26 10 9 8 4 7 3 3 22 1 4
2 2 3 7 4 2 9 7 2 1 1 1 0 5 6 3 1 10 5 4 5 7 6 4 2 10 5 6 3 4 9 1 2 8 1 26 3 3
7 5 0 46 1 545 0)
#EndData: k-meter.itss
Each distribution appears in the record as a series of integers. The
first eight are the distribution parameters values, in the order I listed
them above, i.e. Transform, Scale factor, .. These eight integers are
followed by n+1 integers, where n is the number of Buckets. The extra
bucket is the overflow bucket, it counts the number of observations with
values greater than the Upper Limit parameter. NeTraMet has an
implementation limit of 100 buckets.
My format statement put parentheses around each distribution. This is
not required by NeMaC or fd_filter, but it makes it a lot easier for
people to read the flow data file!
-------------------------------------------------------------------
fd_filter can take differences of distribution values. Here's a sample
format file for fd_filter.
format
FlowRuleSet FlowIndex FirstTime SourcePeerType
" " d_ToPDUs d_ToOctets " " d_FromPDUs d_FromOctets
# SourcePeerAddress DestPeerAddress
" (" d_FromPacketSize
") (" d_ToPacketSize ")";
-------------------------------------------------------------------
Running the above filter on my flow data file produces flow records like
this ..
#Format: flowruleset flowindex firsttime sourcepeertype d_topdus d_tooctets d
_frompdus d_fromoctets (d_frompacketsize) (d_topacketsize)
#Time: 15:57:08 Mon 11 Oct 1999 k-meter.itss Flows from 0 to 36573687
#Ruleset: 10 7 da_demo.rules pktsz_dist
#EndData: k-meter.itss
#Time: 15:58:00 Mon 11 Oct 1999 k-meter.itss Flows from 36573686 to 36578897
10 8822 36573680 1 12687 2961387 13154 6814444 (1 0 1 1520 100 0 0 0 0 0 0
0 4592 416 220 363 639 234 162 114 103 119 64 54 47 34 22 35 46 24 407 58 16 21
43 58 34 253 63 16 46 43 12 73 10 384 17 413 15 190 38 18 22 14 7 14 11 12 15
13 8 191 11 14 7 7 11 9 5 9 59 10 4 5 9 5 10 9 12 17 6 5 19 15 7 5 8 8 15 63 14
8 7 9 5 8 12 11 8 7 7 10 10 3 139 7 16 2686 0) (1 0 1 1520 100 0 0 0 0 0 0 0
7055 571 336 493 558 349 203 58 24 60 16 11 73 26 14 20 31 44 26 19 40 28 34 4
2 54 47 54 49 39 75 33 80 67 305 47 753 15 25 12 20 8 26 10 9 8 4 7 3 3 22 1 4
2 2 3 7 4 2 9 7 2 1 1 1 0 5 6 3 1 10 5 4 5 7 4 4 2 10 5 6 3 4 9 1 2 8 1 26 3 3
7 5 0 46 1 539 0)
#EndData: k-meter.itss
-------------------------------------------------------------------
Having collected some distributions, what can you do with them?
Well, I have a collection of perl scripts which process flow data files
like those above, which compute statistics and/or produce gnuplot files.
Real soon now I plan to write this up, producing a 'how to use
distribution-valued attributes with NeTraMet.' Meanwhile I hope this is
enough information to get you started.
Cheers, Nevil
From netramet-owner Wed May 31 05:04:34 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA10919
for netramet-outgoing; Wed, 31 May 2000 05:02:53 +1200 (NZST)
Received: from mail.gorge.net (mail.gorge.net [205.162.195.4])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA10911
for <
[email protected]>; Wed, 31 May 2000 05:02:49 +1200 (NZST)
Received: from laptop ([206.163.94.161]) by mail.gorge.net
(Post.Office MTA v3.5.3 release 223 ID# 0-65083U9000L900S0V35)
with SMTP id net for <
[email protected]>;
Tue, 30 May 2000 09:53:11 -0700
From: "s" <
[email protected]>
To: "Netramet" <
[email protected]>
Subject: Redhat linux, Libpcap and empty flows
Date: Tue, 30 May 2000 10:01:03 -0700
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <
[email protected]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Importance: Normal
Sender:
[email protected]
Precedence: bulk
Folks,
I just ran into a libpcap incompatibility problem using Redhat 6.1, Ethereal
packet analyzer and Netramet. The symptoms are that NeTraMet and NeMac seem
to be able to talk to each other but don't actually "SEE" any packets,
producing empty flow files.
I had originally installed a patched version of libpcap at the behest of the
Ethereal web page, apparently there is a bug in the stock Redhat libpcap
implementation that hangs Ethereal. Then after installing NeTraMet and
getting nothing but empty flows, I finally removed libpcap altogether and
recompiled the "official" version from ftp.ee.lbl.gov. After that NeTraMet
has been working perfectly and Ethereal also seems to be ok.
So the upshot is that NeTraMet may require a "stock" version of lbl's
libpcap to run.
Thanks,
Steve Elder
-----Original Message-----
From:
[email protected]
[mailto:
[email protected]]On Behalf Of Dylan Hall
Sent: Monday, May 29, 2000 10:16 PM
To:
[email protected]
Subject: Problem with '-l' on NeTraMet
Has anyone else observed problems with the -l flag on NeTraMet?
More precisely, I was comparing the output of tcpdump with
NeTraMet and I was getting a 14ish byte per packet difference,
after a little reading I concluded that it was because NeTraMet
was counting the MAC headers aswell as the IP packet. I added
the -l flag to NeTraMet but it doesn't appear to have made any
difference.
I'm using RedHat Linux 6.2 on a PII-400. I was initially using
the pre-compiled Linux binaries (NeTraMet v4.3). I am now using
a version I compiled myself. I had some problems compiling the
binaries, if I use the libpcap RPM that comes with RH6.2 the
resulting NeTraMet doesn't seem to work. It runs fine but seems
to use 0% CPU and NeMaC produces empty flow files. I remove this
version of libpcap (libpcap-0.4-19.i386.rpm) and installed libpcap
from source. This seems to have fixed the compiling problem.
Any idea?
Thanx
Dylan Hall
Network Engineer
Netlink - A Telstra Saturn Company
From netramet-owner Wed May 31 17:25:57 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id RAA28904
for netramet-outgoing; Wed, 31 May 2000 17:23:06 +1200 (NZST)
Received: from lemon.office.netlink.net.nz (lemon.office.netlink.net.nz [203.97.244.37])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id RAA28891
for <
[email protected]>; Wed, 31 May 2000 17:23:03 +1200 (NZST)
Received: from netlink.net.nz (bamboo.office.netlink.net.nz [203.97.244.25])
by lemon.office.netlink.net.nz (8.10.1/8.10.1) with ESMTP id e4V5MWP27437
for <
[email protected]>; Wed, 31 May 2000 17:22:32 +1200 (NZST)
Message-ID: <
[email protected]>
Date: Wed, 31 May 2000 17:22:32 +1200
From: Dylan Hall <
[email protected]>
Organization: Netlink Ltd
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14 i686)
X-Accept-Language: en
MIME-Version: 1.0
To:
[email protected]
Subject: Follow up on the NeTraMet '-l' bug
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
I think I have found the cause of the problem, can someone who is more
familiar with the code take a look and see if I've got it right.
in meter_ux.c inside the routine ether_callback (and fddi_callback)
there is the following:
if (handle_pkt(&pp, ether_type,lsap, (unsigned char *)ethp,
p, h->caplen - sizeof(struct ether_hdr))) {
pp.p_len = h->len;
pp.Low.Interface = pp.High.Interface = user->nbr;
/* NETFLOW uses Low.Interface for ntm_interface */
pp.Low.AdjType = pp.High.AdjType = AT_ETHERNET;
pp.arrival_time = h->ts; /* struct timeval */
pkt_monitor(&pp);
}
as best I can tell pkt_monitor() calls count() which counts the bytes
using pp.p_len.
the problem I can see is that handle_pkt() contains the code that
checks for the '-l' flag, (use_ip_length == 1):
if (proto_reqd[AT_IP4]) {
pkt_extract(pp, AT_IP4, p,pl);
if (use_ip_length) pp->p_len = p[2] << 8 | p[3];
}
but the line pp.p_len = h->len in the first bit of code above overwrites
the changes to pp.p_len.
Have I got this right?
Is this the right forum to discuss this?
Thanks,
Dylan Hall
Network Engineer
Netlink - A Telstra Saturn Company
