From netramet-owner Thu Nov 2 10:51:52 2000

From netramet-owner Thu Nov 2 10:51:52 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA10945
for netramet-outgoing; Thu, 2 Nov 2000 10:46:00 +1300 (NZDT)
Received: from willow.flint.umich.edu (willow.flint.umich.edu [141.216.8.247])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA10934
for <[email protected]>; Thu, 2 Nov 2000 10:45:57 +1300 (NZDT)
Received: from flint.umich.edu (flint.umich.edu [141.216.3.10])
by willow.flint.umich.edu (8.9.1/8.9.1) with ESMTP id QAA24145
for <[email protected]>; Wed, 1 Nov 2000 16:45:56 -0500 (EST)
Received: from UMF-EMDAT/SpoolDir by flint.umich.edu (Mercury 1.48);
1 Nov 00 16:45:56 -0400
Received: from SpoolDir by UMF-EMDAT (Mercury 1.48); 1 Nov 00 16:45:51 -0400
From: "John A. Lauro" <[email protected]>
X-Real-Sender: ADMINJL
Organization: The University of Michigan - Flint
To: [email protected]
Date: Wed, 1 Nov 2000 16:45:50 EDT
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: archive/FAQ for netramet?
Priority: normal
X-mailer: Pegasus Mail v3.40
Message-ID: <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello,

I just joined this list (netramet). Is there an archive and/or FAQ
for this list?

---------------------------------------------------------------------------
John Lauro email: [email protected]
University of Michigan - Flint [email protected]
Information Technology Services
303 E. Kearsley St. phone: (810) 762-3123
Flint, MI 48502 fax: (810) 766-6805

From netramet-owner Fri Nov 3 05:48:00 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA19684
for netramet-outgoing; Fri, 3 Nov 2000 05:45:35 +1300 (NZDT)
Received: from willow.flint.umich.edu (willow.flint.umich.edu [141.216.8.247])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA19677
for <[email protected]>; Fri, 3 Nov 2000 05:45:33 +1300 (NZDT)
Received: from flint.umich.edu (flint.umich.edu [141.216.3.10])
by willow.flint.umich.edu (8.9.1/8.9.1) with ESMTP id LAA04489
for <[email protected]>; Thu, 2 Nov 2000 11:45:31 -0500 (EST)
Received: from UMF-EMDAT/SpoolDir by flint.umich.edu (Mercury 1.48);
2 Nov 00 11:45:31 -0400
Received: from SpoolDir by UMF-EMDAT (Mercury 1.48); 2 Nov 00 11:45:28 -0400
From: "John A. Lauro" <[email protected]>
X-Real-Sender: ADMINJL
Organization: The University of Michigan - Flint
To: [email protected]
Date: Thu, 2 Nov 2000 11:45:27 EDT
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Post SRL processing
Priority: normal
X-mailer: Pegasus Mail v3.40
Message-ID: <[email protected]>
Sender: [email protected]
Precedence: bulk

Sorry for the newbie questins here... NeTraMet looks like it can be
configured with SRL files to produce the types of custom statistics I
need.

However, is there a way collect data and then process a SRL file
against it later? Netramet seems good for collecting stats,
assuming you know all the reports you need in advance, but
unfortunately that isn't always the case... I am probably missing
something simple here, but is there a way to feed an argus log file
(or other, maybe native format that has a fairly compact detail
records) to NeTraMet suite of programs, and then process the SRL file
sometime other then live?

---------------------------------------------------------------------------
John Lauro email: [email protected]
University of Michigan - Flint [email protected]
Information Technology Services
303 E. Kearsley St. phone: (810) 762-3123
Flint, MI 48502 fax: (810) 766-6805

From netramet-owner Fri Nov 3 06:41:24 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA22531
for netramet-outgoing; Fri, 3 Nov 2000 06:40:09 +1300 (NZDT)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA22525
for <[email protected]>; Fri, 3 Nov 2000 06:40:07 +1300 (NZDT)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA26577;
Thu, 2 Nov 2000 12:39:42 -0500 (EST)
Received: from MAILHUB1 (mailhub1.mitre.org [129.83.20.31])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA09042;
Thu, 2 Nov 2000 12:39:41 -0500 (EST)
Received: from vsb073.mitre.org (129.83.21.73) by mailhub1.mitre.org with SMTP
id 4773117; Thu, 02 Nov 2000 12:39:15 -0500
Message-ID: <[email protected]>
Date: Thu, 02 Nov 2000 11:34:39 -0600
From: David Burgess <[email protected]>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "John A. Lauro" <[email protected]>
CC: [email protected]
Subject: Re: Post SRL processing
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

I'd kind of like to see a repository for reports and collectors.

Having an SRL is nice, but I want to make sure I get the information
I need to manage my network.

If there is interest, I have access to resources that could make a
repository of SRLs, reports, etc. available world-wide.

"John A. Lauro" wrote:
>
> Sorry for the newbie questins here... NeTraMet looks like it can be
> configured with SRL files to produce the types of custom statistics I
> need.
>
> However, is there a way collect data and then process a SRL file
> against it later? Netramet seems good for collecting stats,
> assuming you know all the reports you need in advance, but
> unfortunately that isn't always the case... I am probably missing
> something simple here, but is there a way to feed an argus log file
> (or other, maybe native format that has a fairly compact detail
> records) to NeTraMet suite of programs, and then process the SRL file
> sometime other then live?
>
> ---------------------------------------------------------------------------
> John Lauro email: [email protected]
> University of Michigan - Flint [email protected]
> Information Technology Services
> 303 E. Kearsley St. phone: (810) 762-3123
> Flint, MI 48502 fax: (810) 766-6805

From netramet-owner Sat Nov 4 01:21:52 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA29829
for netramet-outgoing; Sat, 4 Nov 2000 01:17:43 +1300 (NZDT)
Received: from www.caravan.ru (www.caravan.ru [212.24.52.9])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA29823
for <[email protected]>; Sat, 4 Nov 2000 01:17:40 +1300 (NZDT)
Received: from mag.caravan.ru ([217.23.130.98] helo=caravan.ru)
by www.caravan.ru with esmtp (Exim 3.14 #1)
id 13rfmK-000Dhh-00
for [email protected]; Fri, 03 Nov 2000 15:17:04 +0300
Message-ID: <[email protected]>
Date: Fri, 03 Nov 2000 15:21:04 +0300
From: "Sergey V. Artjushkin" <[email protected]>
X-Mailer: Mozilla 4.72 [ru] (X11; I; FreeBSD 4.1.1-RELEASE i386)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: [email protected]
Subject: NeTraMet not responds on snmp requests
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello colleagues

I have just installed Netramet 4.3 on FreeBSD 4.1.
I want to collect traffic statistics from this machine.
I run Netramet and NeMac like this:

NeTraMet -i de1 -m 165 -w ipmeterw -r ipmeterr
NeMaC -D -m 165 -c 300 -r rules.rules localhost ipmeterw

Everything is ok, but through 5 minutes NeTraMet is not responding
for snmp request but daemon is running.

Can somebody explain what happend and where I'm wrong.

The following is the NeTraMet logs.
Network Meter v4.3
Running on plug-gw, interface de1

1444:41 ri[11]: '1', 7 rules
1444:41 ri[11]: '1', rhss = 1
1444:41 Manager 10, Current set 11
1444:42 '1' flows read by NeMaC
Statistics Zeroed
1445:00 '1' flows read by NeMaC
Statistics Zeroed

The following is NeMac logs:
bash-2.04# cat localhost.log
14:44:41 Fri 3 Nov 2000 -- Starting NeMaC: NeTraMet Manager &
Controller v4.3
14:44:41 Fri 3 Nov 2000 -- loaded 7 rules from
/usr/local/netramet/rules/rules.rules to meter localhost
14:50:25 Fri 3 Nov 2000 -- localhost: No response
14:55:25 Fri 3 Nov 2000 -- localhost: No response

bash-2.04# cat akella.log
##NeTraMet v4.3: -c300 -r /usr/local/netramet/rules/rules.rules
localhost de1 10000 flows starting at 14:44:42 Fri 3 Nov 2000
#Format: flowruleset flowindex firsttime lasttime sourcepeeraddress
destpeeraddress sourcetranstype sourcetransaddress desttransaddress
topdus frompdus tooctets fromoctets
#Time: 14:44:42 Fri 3 Nov 2000 localhost Flows from 0 to 1678
#Ruleset: 11 1 /usr/local/netramet/rules/rules.rules NeMaC
#Stats: aps=499 apb=0 mps=976 mpb=0 lsp=0 avi=99.0 mni=97.3 fiu=3 frc=0
gci=10 rpp=2.0 tpp=1.0 cpt=1.0 tts=8191 tsu=1
11 3 1653 1675 0.0.0.0 212.158.176.192 0 0 0 10 0 716 0
#EndData: localhost
#Time: 14:45:00 Fri 3 Nov 2000 localhost Flows from 1677 to 3491
#Stats: aps=576 apb=0 mps=875 mpb=0 lsp=0 avi=99.1 mni=98.3 fiu=4 frc=0
gci=10 rpp=4.9 tpp=0.0 cpt=1.0 tts=8191 tsu=2
11 3 1653 3485 0.0.0.0 212.158.176.192 0 0 0 633 0 49563 0
11 4 2816 3210 0.0.0.0 212.158.176.192 17 0 0 3 0 206 0
#EndData: localhost

Thank you for advance.

--
----------------------------------------------------------------
Sergey Artjushkin ISP
Tel: +7 095 203-10-72 "CARAVAN"

From netramet-owner Sat Nov 4 04:18:56 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA06344
for netramet-outgoing; Sat, 4 Nov 2000 04:17:06 +1300 (NZDT)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA06334
for <[email protected]>; Sat, 4 Nov 2000 04:17:03 +1300 (NZDT)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id KAA13853;
Fri, 3 Nov 2000 10:15:49 -0500 (EST)
Received: from MAILHUB1 (mailhub1.mitre.org [129.83.20.31])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id KAA18451;
Fri, 3 Nov 2000 10:15:46 -0500 (EST)
Received: from vsb083.mitre.org (129.83.21.83) by mailhub1.mitre.org with SMTP
id 4782437; Fri, 03 Nov 2000 10:15:19 -0500
Message-ID: <[email protected]>
Date: Fri, 03 Nov 2000 09:10:49 -0600
From: David Burgess <[email protected]>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Sergey V. Artjushkin" <[email protected]>
CC: [email protected]
Subject: Re: NeTraMet not responds on snmp requests
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

"Sergey V. Artjushkin" wrote:
>
> Hello colleagues
>
> I have just installed Netramet 4.3 on FreeBSD 4.1.
> I want to collect traffic statistics from this machine.
> I run Netramet and NeMac like this:
>
> NeTraMet -i de1 -m 165 -w ipmeterw -r ipmeterr
> NeMaC -D -m 165 -c 300 -r rules.rules localhost ipmeterw
>
> Everything is ok, but through 5 minutes NeTraMet is not responding
> for snmp request but daemon is running.
>
> Can somebody explain what happend and where I'm wrong.
>

I'll take a stab at it:

> The following is the NeTraMet logs.
> Network Meter v4.3
> Running on plug-gw, interface de1

Your meter appears to be running on interface de1 here.

>
> 14:44:41 ri[11]: '1', 7 rules
> 14:44:41 ri[11]: '1', rhss = 1
> 14:44:41 Manager 10, Current set 11
> 14:44:42 '1' flows read by NeMaC
> Statistics Zeroed
> 14:45:00 '1' flows read by NeMaC
> Statistics Zeroed
>
> The following is NeMac logs:
> bash-2.04# cat localhost.log
> 14:44:41 Fri 3 Nov 2000 -- Starting NeMaC: NeTraMet Manager &
> Controller v4.3
> 14:44:41 Fri 3 Nov 2000 -- loaded 7 rules from
> /usr/local/netramet/rules/rules.rules to meter localhost
> 14:50:25 Fri 3 Nov 2000 -- localhost: No response
> 14:55:25 Fri 3 Nov 2000 -- localhost: No response

Localhost is unlikely to see any traffic, since it's normally
connected to the loopback interface. It's going to lo0 for
the information.

>
> bash-2.04# cat akella.log
> ##NeTraMet v4.3: -c300 -r /usr/local/netramet/rules/rules.rules
> localhost de1 10000 flows starting at 14:44:42 Fri 3 Nov 2000
> #Format: flowruleset flowindex firsttime lasttime sourcepeeraddress
> destpeeraddress sourcetranstype sourcetransaddress desttransaddress
> topdus frompdus tooctets fromoctets
> #Time: 14:44:42 Fri 3 Nov 2000 localhost Flows from 0 to 1678
> #Ruleset: 11 1 /usr/local/netramet/rules/rules.rules NeMaC
> #Stats: aps=499 apb=0 mps=976 mpb=0 lsp=0 avi=99.0 mni=97.3 fiu=3 frc=0
> gci=10 rpp=2.0 tpp=1.0 cpt=1.0 tts=8191 tsu=1
> 11 3 1653 1675 0.0.0.0 212.158.176.192 0 0 0 10 0 716 0
> #EndData: localhost
> #Time: 14:45:00 Fri 3 Nov 2000 localhost Flows from 1677 to 3491
> #Stats: aps=576 apb=0 mps=875 mpb=0 lsp=0 avi=99.1 mni=98.3 fiu=4 frc=0
> gci=10 rpp=4.9 tpp=0.0 cpt=1.0 tts=8191 tsu=2
> 11 3 1653 3485 0.0.0.0 212.158.176.192 0 0 0 633 0 49563 0
> 11 4 2816 3210 0.0.0.0 212.158.176.192 17 0 0 3 0 206 0
> #EndData: localhost
>

The meter is running, judging by the #Time stamp and the stats entry.
I'm guessing, but I'd say it's probably the lo0 vs. de1 interface
thing....

From netramet-owner Sat Nov 4 04:44:44 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA07474
for netramet-outgoing; Sat, 4 Nov 2000 04:43:25 +1300 (NZDT)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA07468
for <[email protected]>; Sat, 4 Nov 2000 04:43:22 +1300 (NZDT)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id KAA19707
for <[email protected]>; Fri, 3 Nov 2000 10:42:51 -0500 (EST)
Received: from MAILHUB1 (mailhub1.mitre.org [129.83.20.31])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id KAA23708
for <[email protected]>; Fri, 3 Nov 2000 10:42:50 -0500 (EST)
Received: from vsb083.mitre.org (129.83.21.83) by mailhub1.mitre.org with SMTP
id 4783006; Fri, 03 Nov 2000 10:42:22 -0500
Message-ID: <[email protected]>
Date: Fri, 03 Nov 2000 09:37:53 -0600
From: David Burgess <[email protected]>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: Running in Flood mode.
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

I am using NeTraMet to track the bandwidth utilization of a group
of computers on my local net. I'm using an SRL ruleset that looks a
lot like the 'nifty' ruleset (identifies each stream by a 'group'
letter) to break the traffic down into smaller components.

Once I got it started last month, it ran OK for a week or so, then the
meter got stuck in 'flood' mode. Is there any way to clear that
other than restarting the NeTraMet progam? I found one reference to
it out in the mailing list archive, but it didn't seem to apply to
what I was seeing. A short treatise on flood mode would be greatly
appreciated.

I've written a program that takes the flow data output from the NeMaC
program and summarizes the traffic by address block. One of the things
I noticed was that when I try to use a STATISTICS argument, the rest
of the flow information is suppressed. I've bitten the bullet on
that, so it's not a big deal. The reason I was trying to use it was
to reset the stream counters every report.

##NeTraMet v4.4: -c600 -r /usr/local/etc/netramet/neonramp.rules
radius1.neonramp.com de0 10000 flows starting at 00:30:02 Wed 1 Nov
2000
#Format: flowkind sourcepeertype sourcepeeraddress destpeeraddress
tooctets fromoctets
#Time: 00:30:02 Wed 1 Nov 2000 radius1.neonramp.com Flows from 12413146
to 12473211
#Ruleset: 3 3 /usr/local/etc/netramet/neonramp.rules NeMaC
0 1 0.0.0.0 0.0.0.0 22766974071 0
72 1 204.248.21.18 204.248.22.252 158450682 392
68 1 64.124.41.154 204.248.21.114 1663526 225141
67 1 204.248.21.98 10.1.1.1 1207890 0
67 1 144.228.153.5 204.248.21.98 570920 0
67 1 204.248.21.98 204.248.22.252 957045 2807758
79 1 204.248.21.30 204.248.20.6 815360 0
79 1 204.248.21.29 204.248.20.6 816144 0
79 1 204.248.22.129 204.248.21.30 123410 0
68 1 64.124.41.207 204.248.21.114 170514 133004
69 1 204.248.22.156 255.255.255.255 115425 0
77 1 208.248.21.30 204.248.21.15 342760 0
77 1 204.248.21.9 208.248.21.30 280440 0
71 1 204.248.21.90 204.248.22.252 162566 347071
77 1 208.248.21.31 204.248.21.15 343478 0
77 1 204.248.21.9 208.248.21.31 281160 0

Here is the first 24 lines from my utilization summary. Flowkind 0
is the total traffic on the network since the current ruleset
started (this is from the start of the month).

I'd like to find a mechanism that resets the counters every time the
streams are queried. The reason is fairly mundane: see below. I've
been using SNMP long enough to understand why the streams are
maintained the way they are; I'm just wondering if there is a mechanism
that clears the streams and will still allow the flowkind indication
and summarization below.

The analyzer itself doesn't have access to the meter; only the data
file. The program I use to analyze this data makes the basic assumption
that any stream whose data consumption has reduced has been reset. If
that happens, the 'old' numbers are added to a counter, indexed by
flowkind, and a new stream is assumed. This fails in a couple of ways:

1) There are times when the data is discarded because a stream starts
up and completes within 10 minutes, followed by a larger stream that
starts up during a subsequent period. The first stream is discarded,
even though the traffic should be counted.

2) There are times when the traffic from one host to another is
self-similar. A short flow will occur which is size 'X'. An hour
later, the same basic flow will occur with exactly the same size.
Only one of these is counted (since the size didn't change).

If anyone has a good suggestion, I'd love to hear it.

Dave B.

BTW: Is anyone interested in another mirror site?

From netramet-owner Tue Nov 7 16:06:24 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA03499
for netramet-outgoing; Tue, 7 Nov 2000 16:00:05 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA03477;
Tue, 7 Nov 2000 16:00:00 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: David Burgess <[email protected]>
Cc: [email protected]
Subject: Re: NetraMet development question
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 7 Nov 2000 16:00:02 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello David:

On Fri, 27 Oct 2000 10:17:58 -0500 David Burgess <[email protected]>
wrote:

> I've recently started using NeTraMet again (I took a year or so off)
> and found a small operational problem. I tried to use the -F option
> on NeMaC to append flow data to the existing flow data file. The new
> file overwrote the old file, which wasn't exactly what I was hoping
> for.
>
> I looked at the code and understand that the '##' record at the
> beginning is problematic, but I'm a little unclear on why. I've
> looked through the archive and didn't see anything that succinctly
> explained why.
>
> To avoid deleting my live data by accident in the future, I made a
> small change to the code which 'versions' the -F file name instead
> of just opening for write.... Is there some value to sending this
> as a patch, or is there a really good reason to leave the filenaming
> convention (and attendant file destruction) the way it currently works?

As NeMaC and fd_filter stand right now, appending to an existing flow
data file would not cause problems, because fd_filter doesn't use any
of the information inf the ## record. However, if you have processing
programs which work on flow data files, you need to make sure they can
handle a ## record (with an accompanying change in the collection
interval, for example).

We (here at Auckland) took the view that one can - and should - handle
versioning outside NeMaC, say in Perl scripts and cron jobs. Doing it
that way means you can use whatever file naming convention works best
in your environment.

The NeMaC default (i.e. not using the -F option) is to do the
versioning for you, producing files with names like meter.fdf.003.

When introducing patches to the NeTraMet source code, one needs to be
careful not to change the way things work, at least as far as the user
is concerned. In this case, my guess would be that provided the user
set the -F (specify flow data file name) and -p (append-write-close)
options, it would be OK to simply append to an exisiting file.

Anyone else care to comment on this?

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Tue Nov 7 16:09:12 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA05123
for netramet-outgoing; Tue, 7 Nov 2000 16:08:11 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA05000;
Tue, 7 Nov 2000 16:07:43 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: David Burgess <[email protected]>
Cc: [email protected], "John A. Lauro" <[email protected]>
Subject: Re: Post SRL processing
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 7 Nov 2000 16:07:45 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello all:

> "John A. Lauro" wrote:

> > However, is there a way collect data and then process a SRL file
> > against it later? Netramet seems good for collecting stats,
> > assuming you know all the reports you need in advance, but
> > unfortunately that isn't always the case... I am probably missing
> > something simple here, but is there a way to feed an argus log file
> > (or other, maybe native format that has a fairly compact detail
> > records) to NeTraMet suite of programs, and then process the SRL file
> > sometime other then live?

The 44b8 (current beta) version of the NeTraMet distribution can use
CAIDA's CoralReef environment to access packet headers. Amongst other
things, this means it can read a tcpdump trace file. Of course that's
not a particularly compact form of detail records!

Making a version of NeTraMet which could read Argus logs wouldn't be
difficult (it would be a lot like reading NetFlow data), maybe someone
has some time to implement it?

and David Burgess wrote:

> I'd kind of like to see a repository for reports and collectors.
>
> If there is interest, I have access to resources that could make a
> repository of SRLs, reports, etc. available world-wide.

This sounds like a really good idea. Does anyone have material they'd
like to contribute to such a repository? If so, how about sending it
to David so he can get started? I'll comment that this isn't all that
easy to do, since everyone's network is a little different, as are
their reporting needs. Still, that just means that whatever material
you contribute needs to have enough supporting information to make it
clear exactly what the SRL program, report generating script, etc.
actually does!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Tue Nov 7 16:34:31 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA10364
for netramet-outgoing; Tue, 7 Nov 2000 16:33:24 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA10251;
Tue, 7 Nov 2000 16:33:16 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: David Burgess <[email protected]>
Cc: [email protected]
Subject: Re: Running in Flood mode.
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 7 Nov 2000 16:33:17 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello David:

> Once I got it started last month, it ran OK for a week or so, then the
> meter got stuck in 'flood' mode. Is there any way to clear that
> other than restarting the NeTraMet progam? I found one reference to
> it out in the mailing list archive, but it didn't seem to apply to
> what I was seeing. A short treatise on flood mode would be greatly
> appreciated.

'Flood Mode' means that the meter got overwhelmed (not enough memory to
create new flows), so it stopped doing that, set the 'flood mode'
variable, and carried on counting for the flows it had at that point.
The memory use level at which the meter switches to flood mode
('floodmark' in the MIB) is 95% by default. You can set it with
NeMaC's -o option, -0 99 would set it to 99%.

The point about flood mode is that it's a 'keep the meter going when
all else fails' mode of operation. Which is why you have to manually
do something about it, like restarting the meter, maybe with a larger
maximum number of flows allowed (-f command-line option).

Another way of dealing with this is to use a 'standby' ruleset.
The idea is that you have a 'normal' ruleset (specified by NeMaC's -r
option) and a 'standby' ruleset (-e option). When memory usage reaches
a 'highwater' mark (no default, specified for a meter task by the -h
option), the meter switches from 'normal' to 'standby' rules. The idea
is that the standby reulest should collect less detail ('larger
granularity') flows than the normal one, so switching to standby slows
the rate at which memory is consumed.

For example,
./NeMaC -c300 -rnormal.rules -estandby.rules -h65 meter writecom owner
will run normal.rules until memory is 65% full, then switch to
standby.rules. NeMaC watches the memory usage, and the current ruleset
- when memory usage drops again it will switch the meter back onto the
normal ruleset.

> I've written a program that takes the flow data output from the NeMaC
> program and summarizes the traffic by address block. One of the things
> I noticed was that when I try to use a STATISTICS argument, the rest
> of the flow information is suppressed. I've bitten the bullet on
> that, so it's not a big deal. The reason I was trying to use it was
> to reset the stream counters every report.

I'm puzzled by your comment about STATISTICS - it's not supposed to
make any difference to the reading of flow data! The statistics
information was intended to provide overall meter performance data.
It's implemented in a separate part of the meter, and retrieved via a
proprietary MIB (not the RFC 2720 MIB).

> I'd like to find a mechanism that resets the counters every time the
> streams are queried. The reason is fairly mundane: see below. I've
> been using SNMP long enough to understand why the streams are
> maintained the way they are; I'm just wondering if there is a mechanism
> that clears the streams and will still allow the flowkind indication
> and summarization below.

The approach I use is to collect a flow data file using fairly short
reading intervals (5 minutes works well for me). I run it through
fd_filter, which computes differences in the flows between successive
readings, then I run a variety of Perl scripts which summarise the .dif
files in various ways. Maybe yould you do something along these lines?

> BTW: Is anyone interested in another mirror site?

Yes please! Set it up to mirror the distribution site at
ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet, let me know when it's
working and I'll add it to the 'distribution sites' list, thanks.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Wed Nov 8 00:45:58 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA15770
for netramet-outgoing; Wed, 8 Nov 2000 00:43:47 +1300 (NZDT)
Received: from virgo.cus.cam.ac.uk ([email protected] [131.111.8.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA15765
for <[email protected]>; Wed, 8 Nov 2000 00:43:45 +1300 (NZDT)
Received: from ajms (helo=virgo.cus.cam.ac.uk)
by virgo.cus.cam.ac.uk with local-esmtp (Exim 3.16 #3)
id 13t7AD-0001kg-00
for [email protected]; Tue, 07 Nov 2000 11:43:41 +0000
To: [email protected]
Subject: Re: NetraMet development question
In-reply-to: Your message of "Tue, 07 Nov 2000 16:00:02 +1300."
<[email protected]>
From: "Tony Stoneley" <[email protected]>
Date: Tue, 07 Nov 2000 11:43:41 +0000
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

>The NeMaC default (i.e. not using the -F option) is to do the
>versioning for you, producing files with names like meter.fdf.003.
> ...
>Anyone else care to comment on this?

Not as such, but it sparks a tangential train of thought, which also
ties in with another recent posting.

I difference the counters with fd_filter across sampling intervals of
10 minutes. fd_filter of course has the trailer file mechanism to
allow continuity across flow file boundaries, but some care is needed
in the surrounding scripting to make sure that the correct trailer
file is (automatically) identified and that there is no mix-up between
the various flow files that may or may not be hanging around and may
or may not be contiguous in the face of abnormal circumstances such as
(multiple) power glitches or system crashes. It's bad enough trying to
make sure each flow file is correctly dealt with alone, but doubling
the dimensionality more than doubles the problem. The complexity and
delicacy could be reduced if the trailer file were not needed, and
that could be achieved by an option in NeMac to include a one-interval
overlap in the flow files whenever they are switched.

Or am I missing a trick?

[Confession: I actually cop out of all this at the moment, forgetting
about trailer files and just accepting the loss of one set of
differences every few hours. For my present purposes that's good
enough, but it won't do for what is now being mooted.]

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Wed Nov 8 06:41:33 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA02432
for netramet-outgoing; Wed, 8 Nov 2000 06:39:38 +1300 (NZDT)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA02426;
Wed, 8 Nov 2000 06:39:33 +1300 (NZDT)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA02342;
Tue, 7 Nov 2000 12:38:56 -0500 (EST)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA18821;
Tue, 7 Nov 2000 12:38:55 -0500 (EST)
Received: from burgess.omaha.mitre.org ([129.83.21.15]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
G3O10T00.VLO; Tue, 7 Nov 2000 12:38:53 -0500
From: "Burgess,David B." <[email protected]>
To: <[email protected]>
Cc: <[email protected]>, "John A. Lauro" <[email protected]>
Subject: RE: Post SRL processing
Date: Tue, 7 Nov 2000 11:33:58 -0600
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-reply-to: <[email protected]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Importance: Normal
Sender: [email protected]
Precedence: bulk

Documentation for SRLs will, of course, be critical. A README for the SRLs
(a very simple
one) would be a Good Thing!

Dave B.

P.S. The repoistory is going to be stored at 'netramet.neonramp.com'. If
it's OK, I'll also
put the current version of the software on the server, if that's OK.

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, November 06, 2000 9:08 PM
To: David Burgess
Cc: [email protected]; John A. Lauro
Subject: Re: Post SRL processing

Hello all:

> "John A. Lauro" wrote:

> > However, is there a way collect data and then process a SRL file
> > against it later? Netramet seems good for collecting stats,
> > assuming you know all the reports you need in advance, but
> > unfortunately that isn't always the case... I am probably missing
> > something simple here, but is there a way to feed an argus log file
> > (or other, maybe native format that has a fairly compact detail
> > records) to NeTraMet suite of programs, and then process the SRL file
> > sometime other then live?

The 44b8 (current beta) version of the NeTraMet distribution can use
CAIDA's CoralReef environment to access packet headers. Amongst other
things, this means it can read a tcpdump trace file. Of course that's
not a particularly compact form of detail records!

Making a version of NeTraMet which could read Argus logs wouldn't be
difficult (it would be a lot like reading NetFlow data), maybe someone
has some time to implement it?

and David Burgess wrote:

> I'd kind of like to see a repository for reports and collectors.
>
> If there is interest, I have access to resources that could make a
> repository of SRLs, reports, etc. available world-wide.

This sounds like a really good idea. Does anyone have material they'd
like to contribute to such a repository? If so, how about sending it
to David so he can get started? I'll comment that this isn't all that
easy to do, since everyone's network is a little different, as are
their reporting needs. Still, that just means that whatever material
you contribute needs to have enough supporting information to make it
clear exactly what the SRL program, report generating script, etc.
actually does!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Wed Nov 8 06:51:35 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA03103
for netramet-outgoing; Wed, 8 Nov 2000 06:50:16 +1300 (NZDT)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA03097;
Wed, 8 Nov 2000 06:50:12 +1300 (NZDT)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA04157;
Tue, 7 Nov 2000 12:49:41 -0500 (EST)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id MAA20660;
Tue, 7 Nov 2000 12:49:40 -0500 (EST)
Received: from burgess.omaha.mitre.org ([129.83.21.15]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
G3O1IP00.IGT; Tue, 7 Nov 2000 12:49:37 -0500
From: "Burgess,David B." <[email protected]>
To: <[email protected]>
Cc: <[email protected]>
Subject: RE: Running in Flood mode.
Date: Tue, 7 Nov 2000 11:44:43 -0600
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-reply-to: <[email protected]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Importance: Normal
Sender: [email protected]
Precedence: bulk

>Hello David:
>
>> Once I got it started last month, it ran OK for a week or so, then the
>> meter got stuck in 'flood' mode. Is there any way to clear that
>> other than restarting the NeTraMet progam? I found one reference to
>> it out in the mailing list archive, but it didn't seem to apply to
>> what I was seeing. A short treatise on flood mode would be greatly
>> appreciated.
>
>'Flood Mode' means that the meter got overwhelmed (not enough memory to
>create new flows), so it stopped doing that, set the 'flood mode'
>variable, and carried on counting for the flows it had at that point.
>The memory use level at which the meter switches to flood mode
>('floodmark' in the MIB) is 95% by default. You can set it with
>NeMaC's -o option, -0 99 would set it to 99%.
>
>The point about flood mode is that it's a 'keep the meter going when
>all else fails' mode of operation. Which is why you have to manually
>do something about it, like restarting the meter, maybe with a larger
>maximum number of flows allowed (-f command-line option).
>
>Another way of dealing with this is to use a 'standby' ruleset.
>The idea is that you have a 'normal' ruleset (specified by NeMaC's -r
>option) and a 'standby' ruleset (-e option). When memory usage reaches
>a 'highwater' mark (no default, specified for a meter task by the -h
>option), the meter switches from 'normal' to 'standby' rules. The idea
>is that the standby reulest should collect less detail ('larger
>granularity') flows than the normal one, so switching to standby slows
>the rate at which memory is consumed.
>
>For example,
> ./NeMaC -c300 -rnormal.rules -estandby.rules -h65 meter writecom owner
>will run normal.rules until memory is 65% full, then switch to
>standby.rules. NeMaC watches the memory usage, and the current ruleset
>- when memory usage drops again it will switch the meter back onto the
>normal ruleset.
>
>> I've written a program that takes the flow data output from the NeMaC
>> program and summarizes the traffic by address block. One of the things
>> I noticed was that when I try to use a STATISTICS argument, the rest
>> of the flow information is suppressed. I've bitten the bullet on
>> that, so it's not a big deal. The reason I was trying to use it was
>> to reset the stream counters every report.
>
>I'm puzzled by your comment about STATISTICS - it's not supposed to
>make any difference to the reading of flow data! The statistics
>information was intended to provide overall meter performance data.
>It's implemented in a separate part of the meter, and retrieved via a
>proprietary MIB (not the RFC 2720 MIB).
>

It's not the reading (I don't think) that was puzzling for me. If I
use a STATISTICS command in the ruleset, the the output that I included
in my example (last week) is suppressed.

>> I'd like to find a mechanism that resets the counters every time the
>> streams are queried. The reason is fairly mundane: see below. I've
>> been using SNMP long enough to understand why the streams are
>> maintained the way they are; I'm just wondering if there is a mechanism
>> that clears the streams and will still allow the flowkind indication
>> and summarization below.
>
>The approach I use is to collect a flow data file using fairly short
>reading intervals (5 minutes works well for me). I run it through
>fd_filter, which computes differences in the flows between successive
>readings, then I run a variety of Perl scripts which summarise the .dif
>files in various ways. Maybe yould you do something along these lines?

I'm using a NeMaC ruleset to summarize the flowdata into 'host groups'
for data volume checking. I have about 20 different groups of hosts
and I'm trying to verify that they are not using more bandwidth than they
agreed they wouldn't exceed.

>From there, I build a file that I can then scan with a PERL analyzer
which adds up the flow volumes. I can get the ruleset for you; perhaps
there's an easier (perhaps much easier) way to do what I'm trying to
do.

>
>> BTW: Is anyone interested in another mirror site?
>
>Yes please! Set it up to mirror the distribution site at
>ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet, let me know when it's
>working and I'll add it to the 'distribution sites' list, thanks.
>

It will be netramet.neonramp.com and should be available by
the end of the week.

From netramet-owner Fri Nov 10 00:53:02 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA25432
for netramet-outgoing; Fri, 10 Nov 2000 00:49:04 +1300 (NZDT)
Received: from www.caravan.ru (www.caravan.ru [212.24.52.9])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA25422
for <[email protected]>; Fri, 10 Nov 2000 00:49:02 +1300 (NZDT)
Received: from mag.caravan.ru ([217.23.130.98] helo=caravan.ru)
by www.caravan.ru with esmtp (Exim 3.14 #1)
id 13tqCD-000H4s-00
for [email protected]; Thu, 09 Nov 2000 14:48:45 +0300
Message-ID: <[email protected]>
Date: Thu, 09 Nov 2000 14:52:50 +0300
From: "Sergey V. Artjushkin" <[email protected]>
X-Mailer: Mozilla 4.76 [ru] (X11; U; FreeBSD 4.1.1-RELEASE i386)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: [email protected]
Subject: Time??
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello coleagues.

Thank you all for your answers on my previous letters.
I fixed problem.
But I have one more questions about time and Netramet.
What it in Firsttime and Lasttime?
I's not like unixtimestamp from 1970 year and also
it's not like uptime for my router.
Maybe this is the uptime of Netramet? But then, in what it is measured?
Not like in seconds.

Thank you for advance.

--
----------------------------------------------------------------
Sergey Artjushkin ISP
Tel: +7 095 203-10-72 "CARAVAN"

From netramet-owner Wed Nov 15 05:15:42 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA02074
for netramet-outgoing; Wed, 15 Nov 2000 05:11:58 +1300 (NZDT)
Received: from www.caravan.ru (www.caravan.ru [212.24.52.9])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA02069
for <[email protected]>; Wed, 15 Nov 2000 05:11:55 +1300 (NZDT)
Received: from mag.caravan.ru ([217.23.130.98] helo=caravan.ru)
by www.caravan.ru with esmtp (Exim 3.14 #1)
id 13vig0-0007R1-00
for [email protected]; Tue, 14 Nov 2000 19:11:16 +0300
Message-ID: <[email protected]>
Date: Tue, 14 Nov 2000 19:15:50 +0300
From: "Sergey V. Artjushkin" <[email protected]>
X-Mailer: Mozilla 4.76 [ru] (X11; U; FreeBSD 4.1.1-RELEASE i386)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: [email protected]
Subject: rules?
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello colleagues.

I have some question about writing rules for Netramet.

| de0
---------------------
FreeBSD
---------------------
| |
10.0.0.0/24 10.0.1.0/24

I run Netramet meter on de0 interface.
I want to collect in and out ip traffic from 10.0.0.0/24 and
10.0.1.0/24 networks thought de0.
I wrote rules like it:
----------------
#Time: 19:17:05 Wed 8 Nov 2000
sourcepeertype & 255.0 = 0.0: ignore, 0;
sourcepeertype & 255.0 = 1.0: pushto, g2;
null & 0 = 0: gotoact, n4;
g2:
destpeeraddress & 255.255.255 = 10.0.0.0: pushtoact, a1;
destpeeraddress & 255.255.255 = 10.0.1.0: pushtoact, a1;
sourcepeeraddress & 255.255.255 = 10.0.0.0: pushtoact, a1;
sourcepeeraddress & 255.255.255 = 10.0.1.0: pushtoact, a1;
null & 0 = 0: ignore, 0;
a1:
null & 0 = 0: count, 0;
set 1;
format
firsttime " "
" " sourcepeeraddress sourcepeermask destpeeraddress destpeermask
" " tooctets fromoctets;
statistics;
-------------

But Netramet manager collecting only in traffic for my networks:
#Time: 18:55:00 Tue 14 Nov 2000 217.23.130.62 Flows from 51964320 to
51994342
#Stats: aps=93 apb=0 mps=230 mpb=0 lsp=0 avi=99.8 mni=97.5 fiu=4 frc=0
gci=10 rpp=6.6 tpp=0.2 cpt=1.0 tts=8191 tsu=2
974217300,51908338 ,'0.0.0.0' ,'0.0.0.0' ,'10.0.0.0' ,'255.255.255.0'
,1293190 ,1665221
974217300,51908395 ,'0.0.0.0' ,'0.0.0.0' ,'10.0.1.0' ,'255.255.255.0'
,2033562 ,1195703
#EndData: 217.23.130.62
#Time: 19:00:00 Tue 14 Nov 2000 217.23.130.62 Flows from 51994341 to
52024372
#Stats: aps=92 apb=0 mps=269 mpb=0 lsp=0 avi=99.8 mni=0.0 fiu=4 frc=0
gci=10 rpp=6.5 tpp=0.2 cpt=1.0 tts=8191 tsu=2
974217601,51908338 ,'0.0.0.0' ,'0.0.0.0' ,'10.0.0.0' ,'255.255.255.0'
,1694574 ,2346058
974217601,51908395 ,'0.0.0.0' ,'0.0.0.0' ,'10.0.1.0' ,'255.255.255.0'
,2772064 ,1309117
#EndData: 217.23.130.62

Where I'm wrong? Is my rules is incorrect?

Thank you for advance.

--
----------------------------------------------------------------
Sergey Artjushkin ISP
Tel: +7 095 203-10-72 "CARAVAN"

From netramet-owner Thu Nov 16 14:58:40 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id OAA19144
for netramet-outgoing; Thu, 16 Nov 2000 14:52:12 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id OAA18937;
Thu, 16 Nov 2000 14:51:26 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Beginner/Installation Question
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Thu, 16 Nov 2000 14:51:32 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Ciaran:
> I'm a Computer Science student who recently
> downloaded NeTraMet for use within a college project
> and after the initial "make" (before "make install")
> I recieve the following error...
>
> make[1]: warning: Clock skew detected. Your build may be incomplete.
>
> Can anyone tell me what this means and will this
> affect the installation of NeTraMet and if so
> is there a solution?

make is telling you that some of the files in the NeTraMet distribution
have creation timestamps ahead of the current clock time on your Unix
system. Check the clock time (date command), and set it to the
correct time of day (sudo date ...)

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Wed Nov 29 16:38:02 2000
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA27149
for netramet-outgoing; Wed, 29 Nov 2000 16:31:59 +1300 (NZDT)
Received: from lt.itss.auckland.ac.nz (bluebottle.itss.auckland.ac.nz [130.216.4.28])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id QAA27138
for <netramet@auckland>; Wed, 29 Nov 2000 16:31:57 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
Date: Wed, 29 Nov 2000 16:35:50 +0000
To: [email protected]
Subject: Packet loss ???
Message-ID: <[email protected]>
Priority: NORMAL
X-Mailer: Execmail for Linux 5.1 Build (9)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Sender: [email protected]
Precedence: bulk

--- Begin Forwarded Message ---

Sender: [email protected]
Message-ID: <[email protected]>
Date: Wed, 29 Nov 2000 13:01:19 +1300
From: Dylan Hall <[email protected]>
Organization: Telstra Saturn
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.17 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: Packet loss
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I've just noticed that our meters are losing packets. This prompts two
questions.

1. How does NeTraMet know that it is losing packets?
2. What is the likely cause of the packet loss and how can I fix it?

The meter is a PII-350 running FreeBSD 2.2.8. NeTraMet is version 4.3.

The following are some of the #Stats lines I'm getting:

#Stats: aps=4052 apb=0 mps=5729 mpb=0 lsp=172251 avi=91.2 mni=55.7
fiu=103989 frc=36354 gci=2 rpp=3.8 tpp=1.4 cpt=1.4 tts=131071 tsu=70549
#Stats: aps=4376 apb=0 mps=8539 mpb=0 lsp=257100 avi=90.6 mni=55.7
fiu=105885 frc=41993 gci=2 rpp=3.8 tpp=1.4 cpt=1.4 tts=131071 tsu=71031
#Stats: aps=4231 apb=0 mps=6863 mpb=0 lsp=216419 avi=90.7 mni=55.5
fiu=106077 frc=42300 gci=2 rpp=3.8 tpp=1.4 cpt=1.5 tts=131071 tsu=70927
#Stats: aps=4237 apb=0 mps=8391 mpb=0 lsp=190279 avi=90.7 mni=52.8
fiu=105703 frc=40838 gci=2 rpp=3.8 tpp=1.4 cpt=1.5 tts=131071 tsu=70863
#Stats: aps=4289 apb=0 mps=8320 mpb=0 lsp=239064 avi=90.4 mni=47.0
fiu=106731 frc=42856 gci=2 rpp=3.8 tpp=1.4 cpt=1.4 tts=131071 tsu=71294

I have the max flows set to 200000 (-f 200000).
The average CPU usage for the NeTraMet process is about 6% (from top).
The process is niced -15 so should have higher priority than other tasks
on the box.

Any suggestions or comments welcome.

Thanks,

Dylan Hall
Network Engineer
TelstraSaturn Ltd.
--- End Forwarded Message ---