From netramet-owner Mon Apr 2 19:56:16 2001

From netramet-owner Mon Apr 2 19:56:16 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id TAA12541
for netramet-outgoing; Mon, 2 Apr 2001 19:50:48 +1200 (NZST)
Received: from genesis.com-con.net (genesis.com-con.com [212.6.164.7])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id TAA12534
for <[email protected]>; Mon, 2 Apr 2001 19:50:45 +1200 (NZST)
Received: by genesis.com-con.com with Internet Mail Service (5.5.2653.19)
id <HSHVDDPX>; Mon, 2 Apr 2001 09:50:08 +0200
Message-ID: <[email protected]>
From: Ralf Knapp <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: the count command let the flows grow!!!
Date: Mon, 2 Apr 2001 09:50:06 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: [email protected]
Precedence: bulk

Hi=20

I want to log all traffic from and to a spam-port of a switch...but my =
problem is that the ruleset adds the traffic.....

In the log-files there are multiple flows with the same "firsttime" and =
"source-" and "destinastionpeeraddress" and the ""tooctests" and =
"fromoctets" grows.
This files should then pushed into an database for logging and billing =
the traffic.The problem is, there are the same flows with not the =
"real" flow...with the added flows.....
The last flow is the correct flow which I only want in the logfiles.

the ruleset....
####################
#Source file: valeri.srl
#Compiled by: SRL compiler, version 4.3
#Time: 01:55:16 Tue 26 Sep 2000
sourcepeertype & 255.0 =3D 1.0: pushtoact, a1;
null & 0 =3D 0: gotoact, n1;
n1:
g1:
null & 0 =3D 0: nomatch, 0;
a1:
sourcepeeraddress & 255.255.255.255 =3D 0.0: pushpkttoact, next;
destpeeraddress & 255.255.255.255 =3D 0.0: pushpkttoact, next;
sourcetranstype & 255.0 =3D 0.0: pushpktto, next;
sourcetranstype & 255.0 =3D 1.0: pushtoact, g2;
null & 0 =3D 0: gotoact, n2;
n2:
desttransaddress & 255.255 =3D 0.0: pushpkttoact, next;
sourcetransaddress & 255.255 =3D 0.0: pushpkttoact, next;
g2:
null & 0 =3D 0: count, 0;
set 7;
format
flowruleset flowindex firsttime lasttime sourcepeertype =
sourcetranstype
sourcepeeraddress destpeeraddress sourcetransaddress desttransaddress
tooctets fromoctets;

##################
Commands:

# NeTraMet -f 20000 -r account.domaene.net -w test

#NeMaC -c3 -r /usr/ntm/rules.ip.valeri -e /usr/netm/rules.ip.valeri -b =
/usr/ntm/NeTraMet43/mib/mib.txt -F /usr/ntm/flowAccount -L =
/usr/ntm/logAccount account.domaene.net test

#######
How can I fix the problem...that I only have the real (all) trafic =
every 5minutes and that a push only the real traffic in the database ??

regards

Ralf=20

com:con AG
..and your net works...
Ralf Knapp - Praktikant
Regentenstrasse 5
D-41061 M=F6nchengladbach
fon +49 2161 / 9 39 93 - 0
fax +49 2161 / 9 39 93 - 99
mailto:[email protected] - http://www.com-con.net
free-call 0800 - 266 266 0 * support 0700 - 266 266 02

From netramet-owner Wed Apr 4 22:38:48 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA11099
for netramet-outgoing; Wed, 4 Apr 2001 22:33:12 +1200 (NZST)
Received: from genesis.com-con.net (genesis.com-con.com [212.6.164.7])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA11090
for <[email protected]>; Wed, 4 Apr 2001 22:33:10 +1200 (NZST)
Received: by genesis.com-con.com with Internet Mail Service (5.5.2653.19)
id <2GRXSLKS>; Wed, 4 Apr 2001 12:32:33 +0200
Message-ID: <[email protected]>
From: Ralf Knapp <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: reset the NeTraMet database...
Date: Wed, 4 Apr 2001 12:32:32 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

How can i reset the database.
NeTraMet logs the flow and after a number of flows or time it writes the flows in a file.
After this writing the database should be erased, set to zero....
I need this option because I want to push the flow-files into another Database and therefor the tooctets or fromoctets may not incremented.
Or is there a option to recognice if a flow is the last one and write only the last with the real traffic of the flow into the database.

Background:
I need to log all traffic of the network by Ip-Address (Dest- Source), Ports, and their Bytes (from to). (by NeTraMet)
then i send the files and a timestamp into an new database.
With this info it must be possible to make every 5 minutes an SQL statment on my new Database getting the "real flow" from a given ip Address (or range) from a given duration (start time -end- time)

Ip Accounting of the real traffic in 5 min and storing the data for the future......
is this possible with NeTraMet .... or is there a nother solution for this problem.
How do you accounte the Ip traffic???
Thanks in advance!

From netramet-owner Fri Apr 6 16:38:40 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA13562
for netramet-outgoing; Fri, 6 Apr 2001 16:34:06 +1200 (NZST)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA13502;
Fri, 6 Apr 2001 16:33:46 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
To: Ralf Knapp <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: Re: reset the NeTraMet database...
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Fri, 6 Apr 2001 16:34:05 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Ralf:

> How can i reset the database.
..
> Ip Accounting of the real traffic in 5 min and storing the data for the future......
> is this possible with NeTraMet .... or is there a nother solution for this problem.
> How do you accounte the Ip traffic???

The NeTraMet meter implements the RTFM Meter MIB (RFC 2720), i.e. it's
an SNMP agent. That means it's counters are never reset, they just
keep incrementing. And since they're unsigned (64-bit) counters they
can wrap around too.

For production accounting work, you need to write a ruleset which builds
the flows with whatever attributes you're interested in, starting with
FlowRuleSet FlowIndex FirstTime SourcePeerType

NeMaC will collect the flow data at whatever interval you specify,
e.g. -c900 collects flow data every 15 minutes. Then you can use
fd_filter to compute difference in the packet and byte counts, producing
a 'differences' file giving the number of packets and bytes seen for
each sample interval. After that, you need a perl script to read the
difference fileand add up the total number of bytes for each flow.

All this may seem complicated, but it allows for detailed
usage-over-time reporting, and it avoids the difficulties which would
arise if meters could be reset (especially in situations where several
readers get flow data from the same meter).

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Sat Apr 7 00:04:40 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA15726
for netramet-outgoing; Sat, 7 Apr 2001 00:01:58 +1200 (NZST)
Received: from genesis.com-con.net (genesis.com-con.com [212.6.164.7])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA15717
for <[email protected]>; Sat, 7 Apr 2001 00:01:56 +1200 (NZST)
Received: by genesis.com-con.com with Internet Mail Service (5.5.2653.19)
id <22YJ235P>; Fri, 6 Apr 2001 14:01:50 +0200
Message-ID: <[email protected]>
From: Ralf Knapp <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: NeTraMets -f option
Date: Fri, 6 Apr 2001 14:01:40 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: [email protected]
Precedence: bulk

Hello

This option set a max count of different flows.
(am I right if this is equal to rows in a database??)

If i want to log all traffic identifing by=20

| time | Source IP | Destination IP | allBytes

and in the network their is a webserver it seems that I have a Problem.
Because every user of the WWW visiting this webserver is equal to a =
flow which i
want to log....how could or should this -f nnn option be???
it is impossible to do that with NeTraMet, isn=B4t it??

I don=B4t only want to account the traffic from each host in the =
network I want to log the=20
traffic on a database.Because some guys don=B4t believe the accounting =
and want to see their whole traffic...

Have you got the same problem?
Have you got a hint for a solution??
If not, have you got software which could handle this???
Would you sell it????

Thanks to everyone

Ralf

com:con AG
..and your net works...
Ralf Knapp - Praktikant
Regentenstrasse 5
D-41061 M=F6nchengladbach
fon +49 2161 / 9 39 93 - 0
fax +49 2161 / 9 39 93 - 99
mailto:[email protected] - http://www.com-con.net
free-call 0800 - 266 266 0 * support 0700 - 266 266 02

From netramet-owner Mon Apr 9 13:36:52 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id NAA21677
for netramet-outgoing; Mon, 9 Apr 2001 13:25:55 +1200 (NZST)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id NAA21670
for <netramet@auckland>; Mon, 9 Apr 2001 13:25:54 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: NetraMet and RRDtool !
Message-ID: <[email protected]>
Date: Mon, 9 Apr 2001 13:26:00 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

--- Begin Forwarded Message ---
Date: Sat, 7 Apr 2001 21:11:02 +1200 (NZST)
From: [email protected]
Subject: BOUNCE [email protected]: Non-member submission from
["serge khalil" <[email protected]>]
Sender: [email protected]
To: [email protected]

Reply-To: [email protected]
Message-ID: <[email protected]>

From netramet-owner Sat Apr 7 21:11:01 2001
Received: from hotmail.com (f255.pav1.hotmail.com [64.4.30.130])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA19781
for <[email protected]>; Sat, 7 Apr 2001 21:11:01 +1200 (NZST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sat, 7 Apr 2001 02:10:29 -0700
Received: from 213.166.21.132 by pv1fd.pav1.hotmail.msn.com with HTTP; Sat, 07 Apr 2001 09:10:29 GMT
X-Originating-IP: [213.166.21.132]
From: "serge khalil" <[email protected]>
To: [email protected], [email protected]
Subject: NetraMet and RRDtool !
Date: Sat, 07 Apr 2001 09:10:29 -0000
Mime-Version: 1.0
Content-Type: text/html
Message-ID: <[email protected]>
X-OriginalArrivalTime: 07 Apr 2001 09:10:29.0620 (UTC) FILETIME=[9775CB40:01C0BF42]

<html><DIV>hi </DIV>
<DIV>i'm trying to integrate NetraMet and RRDtool together so i can have a more graphical idea about results got by NetraMet , and i was looking for persons who have tried such fusion </DIV>
<DIV>if  it did work and if they can provide me some of their studies  on this project so i can implement it and develop it with more features .</DIV>
<DIV> </DIV>
<DIV> thanks </DIV>
<DIV>     </DIV>
<DIV> s. serge </DIV>
<DIV> USJ </DIV>
<DIV> </DIV><br clear=all><hr>Get Your Private, Free E-mail from MSN Hotmail at <a href="http://www.hotmail.com">http://www.hotmail.com</a>.<br></p></html>
--- End Forwarded Message ---

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Fri Apr 20 00:29:29 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA27756
for netramet-outgoing; Fri, 20 Apr 2001 00:23:39 +1200 (NZST)
Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA27751
for <[email protected]>; Fri, 20 Apr 2001 00:23:36 +1200 (NZST)
Subject: SourcePeerType 11??
Date: Thu, 19 Apr 2001 14:22:59 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <[email protected]>
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
Thread-Topic: SourcePeerType 11??
Thread-Index: AcDI09lsHOjScDSTEdWepwABAiHO8Q==
From: "Knapp, Ralf" <[email protected]>
To: <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello netramet user

SourcePeerAddress 6 means other protocol..
What does Source PeerAddress 11 mean???

I=B4ve captured a packet with=20
SourcePeerType 11
SourceTransType 0
SourcePeerAddress 0.0.0.0
DestPeerAddress 0.0.0.0
Any solution???

Cheers Ralf

From netramet-owner Fri Apr 20 01:11:49 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA02455
for netramet-outgoing; Fri, 20 Apr 2001 01:10:27 +1200 (NZST)
Received: from mgw1.ul.ie (mgw1.ul.ie [136.201.1.117])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA02420
for <[email protected]>; Fri, 20 Apr 2001 01:10:17 +1200 (NZST)
Received: from gabriel.ul.ie ([136.201.1.101]) by ul.ie (PMDF V5.2-32 #41948)
with ESMTP id <[email protected]> for [email protected]; Thu,
19 Apr 2001 14:04:48 +0100 (BST)
Received: from student.ul.ie (prawn.ece.ul.ie [136.201.5.229])
by gabriel.ul.ie with SMTP
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id 2XKM1VQ5; Thu, 19 Apr 2001 14:14:57 +0100
Date: Thu, 19 Apr 2001 14:10:12 +0100
From: John Mc Auley <[email protected]>
Subject: Rules files
To: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
X-Mailer: Mozilla 4.72 [en] (X11; I; SunOS 5.7 sun4u)
Content-type: multipart/alternative;
boundary="------------A8F66207E2C1977914869BCC"
X-Accept-Language: en
Sender: [email protected]
Precedence: bulk

--------------A8F66207E2C1977914869BCC
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit

Hi,
I am currently working with NetraMet, and am trying to monitor which
hosts on a Network are occupying the most IP bandwidth, i was using the
purposed Rules.lan file to find the busiest terminals occupying the
Network, but am not getting the desired results, as i wish to be able
to specify the busiest termianls, specifying their IP addresses, could
somebody point me in the right direction,
pint of guinness in the offing
Thanks
John

--------------A8F66207E2C1977914869BCC
Content-Type: text/html; charset=iso-8859-15
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi,
<br>I am currently working with NetraMet, and am trying to monitor which
hosts on a Network are occupying the most IP bandwidth, i was using the
purposed <b>Rules.lan</b> file to find the busiest terminals occupying
the Network, but am not getting the desired results,  as i wish to
be able to specify the busiest termianls, specifying their IP addresses, 
could somebody point me in the right direction,
<br>pint of guinness in the offing
<br>Thanks
<br>John</html>

--------------A8F66207E2C1977914869BCC--

From netramet-owner Fri Apr 20 02:24:25 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA10405
for netramet-outgoing; Fri, 20 Apr 2001 02:22:24 +1200 (NZST)
Received: from mgw1.ul.ie (mgw1.ul.ie [136.201.1.117])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA10400
for <[email protected]>; Fri, 20 Apr 2001 02:22:22 +1200 (NZST)
Received: from gabriel.ul.ie ([136.201.1.101]) by ul.ie (PMDF V5.2-32 #41948)
with ESMTP id <[email protected]> for [email protected]; Thu,
19 Apr 2001 15:16:54 +0100 (BST)
Received: by gabriel.ul.ie with Internet Mail Service (5.5.2653.19)
id <2XKM1WTC>; Thu, 19 Apr 2001 15:27:03 +0100
Content-return: allowed
Date: Thu, 19 Apr 2001 15:27:01 +0100
From: JOHN MCAULEY <[email protected]>
Subject: NetraMet
To: "'[email protected]'" <[email protected]>
Message-id: <[email protected]>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-type: text/plain; charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Hello fellow NetraMet users,
I am in need of some help, i am trying to monitor IP traffic flows
on a Network, and specifying what terminals on the Network are using the
most bandwidth. Hence measuring IP and retrieving the src and destination
of the packets, i was using Rules.lan, written be Nevil bu that does'nt
specify what actual terminals are creating the traffic on the Network being
monitored, i am completly unfamilar with SRL, and hence have run into
difficulity, can somebody offer some assistance
a pint of guinness is in the offing
Cheers
John

From netramet-owner Fri Apr 20 02:49:49 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA13410
for netramet-outgoing; Fri, 20 Apr 2001 02:48:18 +1200 (NZST)
Received: from eccmc3.cmc.ec.gc.ca (eccmc3.cmc.ec.gc.ca [142.135.5.60])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA13396
for <[email protected]>; Fri, 20 Apr 2001 02:48:16 +1200 (NZST)
Received: by eccmc3.cmc.ec.gc.ca with Internet Mail Service (5.5.2653.19)
id <H8FT9L9C>; Thu, 19 Apr 2001 10:47:38 -0400
Message-ID: <[email protected]>
From: "Sullivan,Deric [CMC]" <[email protected]>
To: "'Knapp, Ralf'" <[email protected]>, [email protected]
Cc: "Sullivan,Deric [CMC]" <[email protected]>
Subject: RE: SourcePeerType 11??
Date: Thu, 19 Apr 2001 10:47:38 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: [email protected]
Precedence: bulk

Hi Ralf,

If you are referring to PeerType (I think SourcePeerType is always =
equal to
DestPeerType) with a value of 11 then that is IPX traffic.

This might help (it's taken from RFC 2720 -
ftp://ftp.isi.edu/in-notes/rfc2720.txt):
-------------------------------------------
PeerType ::=3D TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Indicates the type of a PeerAddress (see below). The values
used are from the 'Address Family Numbers' section of the
Assigned Numbers RFC [ASG-NBR]. Peer types from other address
families may also be used, provided only that they are
identified by their assigned Address Family numbers."
SYNTAX INTEGER {
ipv4(1),
ipv6(2),
nsap(3),
ipx(11),
appletalk(12),
decnet(13) }
---------------------------------------------

Deric

-----Original Message-----
From: Knapp, Ralf [mailto:[email protected]]
Sent: Thursday, April 19, 2001 9:23 AM
To: [email protected]
Subject: SourcePeerType 11??

Hello netramet user

SourcePeerAddress 6 means other protocol..
What does Source PeerAddress 11 mean???

I=B4ve captured a packet with=20
SourcePeerType 11
SourceTransType 0
SourcePeerAddress 0.0.0.0
DestPeerAddress 0.0.0.0
Any solution???

Cheers Ralf

From netramet-owner Fri Apr 20 09:46:39 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA02332
for netramet-outgoing; Fri, 20 Apr 2001 09:43:57 +1200 (NZST)
Received: from eccmc3.cmc.ec.gc.ca (eccmc3.cmc.ec.gc.ca [142.135.5.60])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA02322
for <[email protected]>; Fri, 20 Apr 2001 09:43:55 +1200 (NZST)
Received: by eccmc3.cmc.ec.gc.ca with Internet Mail Service (5.5.2653.19)
id <J2MS246L>; Thu, 19 Apr 2001 17:13:51 -0400
Message-ID: <[email protected]>
From: "Sullivan,Deric [CMC]" <[email protected]>
To: "'JOHN MCAULEY'" <[email protected]>,
"'[email protected]'"
<[email protected]>
Cc: "Sullivan,Deric [CMC]" <[email protected]>
Subject: RE: NetraMet
Date: Thu, 19 Apr 2001 14:34:38 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Hi John,

I've used the following SRL file to perform "ip accounting" on a
LAN. I'm running NeTraMet version 4.4b9. I really like Guinness.

---------------------------------------------------
#
# 2001/04/19 Deric - An SRL rule set file to perform IP accounting
# This will capture unidirectional traffic flows between IP pairs.
# (Unidirectional means that a "conversation" between two machines
# will be seen as two separate flows.)
# Layers within IP (e.g. TCP and UDP) will not be split into
# different flows.
# Non IP traffic will be combined in one flow entry.
#

if SourcePeerType == IP {
save SourcePeerType;
save SourcePeerAddress/32;
save DestPeerAddress/32;
}
else {
save SourcePeerType;
}
count;

# use a named set command with version 4.4
SET ipaccounting;
#SET 10;
FORMAT
SourcePeerType
SourcePeerAddress DestPeerAddress
ToPDUs FromPDUs " " ToOctets FromOctets
;
---------------------------------------------------

Deric

-----Original Message-----
From: JOHN MCAULEY [mailto:[email protected]]
Sent: Thursday, April 19, 2001 10:27 AM
To: '[email protected]'
Subject: NetraMet

Hello fellow NetraMet users,
I am in need of some help, i am trying to monitor IP traffic flows
on a Network, and specifying what terminals on the Network are using the
most bandwidth. Hence measuring IP and retrieving the src and destination
of the packets, i was using Rules.lan, written be Nevil bu that does'nt
specify what actual terminals are creating the traffic on the Network being
monitored, i am completly unfamilar with SRL, and hence have run into
difficulity, can somebody offer some assistance
a pint of guinness is in the offing
Cheers
John

From netramet-owner Sat Apr 21 06:32:49 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA29539
for netramet-outgoing; Sat, 21 Apr 2001 06:28:23 +1200 (NZST)
Received: from ns2.neonramp.com (ns2.neonramp.com [204.248.20.3])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA29534
for <[email protected]>; Sat, 21 Apr 2001 06:28:21 +1200 (NZST)
Received: from mitre.org (natasha.mitre.org [204.248.21.53] (may be forged))
by ns2.neonramp.com (8.11.2+3.4W/8.11.2) with ESMTP id f3KIRgm24055;
Fri, 20 Apr 2001 13:27:43 -0500 (CDT)
Message-ID: <[email protected]>
Date: Fri, 20 Apr 2001 13:20:45 -0500
From: David Burgess <[email protected]>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: JOHN MCAULEY <[email protected]>
CC: "'[email protected]'" <[email protected]>
Subject: Re: NetraMet
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Here is the SRL we use:

- - - - - Cut Here - - - - -
#
# Neonramp.srl
#
# A ruleset that watches specific addresses on the LAN.
#

define Neonramp =
204.248.20.0/22,
208.16.146.0/23;
define Knudson =
204.248.21.4/30;
define Midlands =
204.248.21.8/29;
define Phssc =
204.248.21.16/30;
define OrganRetrieval =
204.248.21.28/30;
define Mythos =
204.248.21.32/30;
define NatureConservancy =
204.248.21.36/30;
define SportsMedicine =
204.248.21.64/28;
define Bridges =
204.248.21.80/29;
define Goldenspikes =
204.248.21.88/29;
define CondoLink =
204.248.21.96/30;
define Woodmen =
204.248.21.104/29;
define Darland =
204.248.21.112/30;
define CPURent =
204.248.21.116/30;
define SES =
204.248.22.156/32,
204.248.22.161/32,
204.248.22.163/32;
define Priority_Tech =
208.16.32.32/27;

if SourcePeerType == IPv4
save;
else
ignore;

if SourcePeerAddress == (Neonramp) && DestPeerAddress == (Neonramp) {
store FlowKind := 0;
}

if SourcePeerAddress == (Knudson) || DestPeerAddress == (Knudson) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'K';
}
if SourcePeerAddress == (Midlands) || DestPeerAddress == (Midlands) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'M';
}
if SourcePeerAddress == (Phssc) || DestPeerAddress == (Phssc) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'H';
}
if SourcePeerAddress == (OrganRetrieval) || DestPeerAddress ==
(OrganRetrieval)
{
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'O';
}
if SourcePeerAddress == (Mythos) || DestPeerAddress == (Mythos) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'Y';
}
if SourcePeerAddress == (NatureConservancy) || DestPeerAddress ==
(NatureConserv
ancy) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'N';
}
if SourcePeerAddress == (SES) || DestPeerAddress == (SES) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'E';
}
if SourcePeerAddress == (Priority_Tech) || DestPeerAddress ==
(Priority_Tech) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'P';
}
if SourcePeerAddress == (SportsMedicine) || DestPeerAddress ==
(SportsMedicine)
{
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'S';
}
if SourcePeerAddress == (Bridges) || DestPeerAddress == (Bridges) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'B';
}
if SourcePeerAddress == (Goldenspikes) || DestPeerAddress ==
(Goldenspikes) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'G';
}
if SourcePeerAddress == (CondoLink) || DestPeerAddress == (CondoLink) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'C';
}
if SourcePeerAddress == (Woodmen) || DestPeerAddress == (Woodmen) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'W';
}
if SourcePeerAddress == (Darland) || DestPeerAddress == (Darland) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'D';
}
if SourcePeerAddress == (CPURent) || DestPeerAddress == (CPURent) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'U';
}
if SourcePeerAddress == (Priority_Tech) || DestPeerAddress ==
(Priority_Tech) {
save SourcePeerAddress;
save DestPeerAddress;
store FlowKind := 'P';
}

count;

set 3;
format
FlowKind " "
SourcePeerType SourcePeerAddress DestPeerAddress " "
ToOctets FromOctets;

STATISTICS;

- - - - - Cut Here - - - - -

This captures the traffic going both ways and gives us a good start for
monitoring service levels.

Dave

JOHN MCAULEY wrote:
>
> Hello fellow NetraMet users,
> I am in need of some help, i am trying to monitor IP traffic flows
> on a Network, and specifying what terminals on the Network are using the
> most bandwidth. Hence measuring IP and retrieving the src and destination
> of the packets, i was using Rules.lan, written be Nevil bu that does'nt
> specify what actual terminals are creating the traffic on the Network being
> monitored, i am completly unfamilar with SRL, and hence have run into
> difficulity, can somebody offer some assistance
> a pint of guinness is in the offing
> Cheers
> John

From netramet-owner Mon Apr 23 10:42:03 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA20734
for netramet-outgoing; Mon, 23 Apr 2001 10:34:25 +1200 (NZST)
Received: from salvia.ts.co.nz ([email protected] [202.49.92.3])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA20716
for <[email protected]>; Mon, 23 Apr 2001 10:34:23 +1200 (NZST)
Received: from localhost (neil@localhost)
by salvia.ts.co.nz (8.8.8/8.8.6) with SMTP id KAA27047
for <[email protected]>; Mon, 23 Apr 2001 10:28:47 +1200
X-Authentication-Warning: salvia.ts.co.nz: neil owned process doing -bs
Date: Mon, 23 Apr 2001 10:28:46 +1200 (NZST)
From: Neil Fenemor <[email protected]>
To: [email protected]
Subject: Summing
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello,

My flow files are summing the ToOctets/FromOctets fields, ie:

10 1163 383439 1 192.168.0.1 203.2.218.27 1975488 81369248
10 1163 383439 1 192.168.0.1 203.2.218.27 1978296 81485984
10 1163 383439 1 192.168.0.1 203.2.218.27 1980636 81591100
10 1163 383439 1 192.168.0.1 203.2.218.27 1983444 81700000

I can't work out how to get either: one entry that indicates
the total sum of traffic across the flow (like the fourth line
above), or individual lines per transmit/receive that can be
summed to get the same results as the fourth line.

Any ideas?

Cheers

Neil

------------------------------------------------------------------
Neil Fenemor | System Administrator
PO Box 3261 | Tasman Solutions Ltd.
Richmond, 7031 | Ph +64 3 5439092
New Zealand | Fax +64 3 5439091
------------------------------------------------------------------

From netramet-owner Mon Apr 23 22:54:43 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA27389
for netramet-outgoing; Mon, 23 Apr 2001 22:51:24 +1200 (NZST)
Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA27383
for <[email protected]>; Mon, 23 Apr 2001 22:51:22 +1200 (NZST)
Content-Class: urn:content-classes:message
Subject: Netramet options
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 23 Apr 2001 12:50:45 +0100
Message-ID: <[email protected]>
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
Thread-Topic: Netramet options
Thread-Index: AcDL66GPBtQ0T3uKS3+8JPeVQg/TOg==
From: "Knapp, Ralf" <[email protected]>
To: <[email protected]>
Sender: [email protected]
Precedence: bulk

Could someone explane these options, found in an old running FreeBsd -
NetraMet4.3 command.

command/option explanation

NeTraMet // program
-i ti10 // interface=20
-r LOCAL-R // meter reader
-w LOCAL-W //meter writer
-f 20000 // ?
-b 20000 // ?
-t 20000 // ?
-D // ?

the -D option is in the NeMaC commnad , too . Does it mean that the
process is startet as a daemon or=20

Cheers

Ralf

From netramet-owner Tue Apr 24 01:05:18 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA05620
for netramet-outgoing; Tue, 24 Apr 2001 01:03:12 +1200 (NZST)
Received: from ele.pku.edu.cn (IDENT:[email protected] [162.105.204.170])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA05612
for <[email protected]>; Tue, 24 Apr 2001 01:03:10 +1200 (NZST)
Received: from pku.edu.cn ([162.105.130.97])
by ele.pku.edu.cn (8.9.3/8.8.7) with ESMTP id VAA01967
for <[email protected]>; Mon, 23 Apr 2001 21:11:41 +0800
Message-ID: <[email protected]>
Date: Mon, 23 Apr 2001 21:04:43 +0800
From: ma hao <[email protected]>
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "[email protected]" <[email protected]>
Subject: interface supported and interface's down
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi, everyone,

Now the Netramet4.3 or 4.4b can support giga ether interface?

>From netramet 9907 mailing list, I found a question about netramet,
which is
interface' down after 2 weeks' work in redhat v6, now I encountered the
same
question, after 5 hours' work, the interface never respond any
networking
request such as bing or telnet, and reboot the machine, everything is
fine,
why? my environment is Sun solaris 2.7, ultra 60.

Thanks for any suggestions and tips,

regards,

mah

From netramet-owner Tue Apr 24 01:53:36 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA08374
for netramet-outgoing; Tue, 24 Apr 2001 01:51:57 +1200 (NZST)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA08363
for <[email protected]>; Tue, 24 Apr 2001 01:51:54 +1200 (NZST)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA10920
for <[email protected]>; Mon, 23 Apr 2001 09:51:21 -0400 (EDT)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA03505
for <[email protected]>; Mon, 23 Apr 2001 09:51:20 -0400 (EDT)
Received: from burgess.omaha.mitre.org ([129.83.21.68]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
GC8ZTH00.OGR; Mon, 23 Apr 2001 09:51:17 -0400
From: "Burgess,David B." <[email protected]>
To: "Neil Fenemor" <[email protected]>, <[email protected]>
Subject: RE: Summing
Date: Mon, 23 Apr 2001 08:44:25 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
In-Reply-To: <[email protected]>
Sender: [email protected]
Precedence: bulk

The values will be summed up as long as the flow doesn't expire. Once the
flow expires, the counter will be reset to 0. The expiration interval is
set in the options (IIRC).

The solution I've used for this problem is to watch the numbers. As long as
they increase, use the number. Once the number decreases, a new flow has
been kicked off, so the old number should be added to the new number to show
the total traffic.

Of course, there is a program that manages this much better than NeMaC; I
just never bothered to figure out how to use it once I got the NeMaC post
processor I wrote working.

Dave

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Neil Fenemor
> Sent: Sunday, April 22, 2001 5:29 PM
> To: [email protected]
> Subject: Summing
>
>
> Hello,
>
> My flow files are summing the ToOctets/FromOctets fields, ie:
>
> 10 1163 383439 1 192.168.0.1 203.2.218.27 1975488 81369248
> 10 1163 383439 1 192.168.0.1 203.2.218.27 1978296 81485984
> 10 1163 383439 1 192.168.0.1 203.2.218.27 1980636 81591100
> 10 1163 383439 1 192.168.0.1 203.2.218.27 1983444 81700000
>
>
> I can't work out how to get either: one entry that indicates
> the total sum of traffic across the flow (like the fourth line
> above), or individual lines per transmit/receive that can be
> summed to get the same results as the fourth line.
>
> Any ideas?
>
> Cheers
>
> Neil
>
> ------------------------------------------------------------------
> Neil Fenemor | System Administrator
> PO Box 3261 | Tasman Solutions Ltd.
> Richmond, 7031 | Ph +64 3 5439092
> New Zealand | Fax +64 3 5439091
> ------------------------------------------------------------------
>
>
>

From netramet-owner Tue Apr 24 02:03:17 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA09089
for netramet-outgoing; Tue, 24 Apr 2001 02:02:01 +1200 (NZST)
Received: from smtpproxy2.mitre.org (smtpproxy2.mitre.org [128.29.154.90])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA09075
for <[email protected]>; Tue, 24 Apr 2001 02:01:59 +1200 (NZST)
Received: from avsrv2.mitre.org (avsrv2.mitre.org [128.29.154.4])
by smtpproxy2.mitre.org (8.9.3/8.9.3) with ESMTP id KAA21640
for <[email protected]>; Mon, 23 Apr 2001 10:01:27 -0400 (EDT)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id KAA05624
for <[email protected]>; Mon, 23 Apr 2001 10:01:26 -0400 (EDT)
Received: from burgess.omaha.mitre.org ([129.83.21.68]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
GC90AC00.5FP; Mon, 23 Apr 2001 10:01:24 -0400
From: "Burgess,David B." <[email protected]>
To: "Knapp Ralf" <[email protected]>, <[email protected]>
Subject: RE: Netramet options
Date: Mon, 23 Apr 2001 08:54:34 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
In-Reply-To: <[email protected]>
Sender: [email protected]
Precedence: bulk

> Could someone explane these options, found in an old running FreeBsd -
> NetraMet4.3 command.
>
> command/option explanation
>
> NeTraMet // program
> -i ti10 // interface
> -r LOCAL-R // meter reader
> -w LOCAL-W //meter writer
> -f 20000 // ?
> -b 20000 // ?
> -t 20000 // ?
> -D // ?
>
> the -D option is in the NeMaC commnad , too . Does it mean that the
> process is startet as a daemon or

These options are covered in the NeTraMet/NeMaC Reference Manual. A Summary
of the commands is also available by calling NeTraMet with no arguments ...

On NeTraMet
-i defines the interface
-r is the Read-only Community String
-w is the Read-Write Community String
-f is the maximum number of flows
-b is the maximum number of stream data blocks
-t is the maximum number of IP streams
-D Daemon Mode (shortcut for -k and -s)

From netramet-owner Tue Apr 24 02:28:21 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA10649
for netramet-outgoing; Tue, 24 Apr 2001 02:26:24 +1200 (NZST)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA10642
for <[email protected]>; Tue, 24 Apr 2001 02:26:22 +1200 (NZST)
Received: from nosc.ja.net ([128.86.16.20])
by nosc.ja.net with esmtp (Exim 3.10 #2)
id 14rhIC-0003UT-00
for [email protected]; Mon, 23 Apr 2001 15:26:20 +0100
To: [email protected]
Subject: Re: Summing
In-reply-to: Your message of "Mon, 23 Apr 2001 08:44:25 CDT."
<[email protected]>
Date: Mon, 23 Apr 2001 15:26:16 +0100
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

> > My flow files are summing the ToOctets/FromOctets fields, ie:
> >
> > 10 1163 383439 1 192.168.0.1 203.2.218.27 1975488 81369248
> > 10 1163 383439 1 192.168.0.1 203.2.218.27 1978296 81485984
> > 10 1163 383439 1 192.168.0.1 203.2.218.27 1980636 81591100
> > 10 1163 383439 1 192.168.0.1 203.2.218.27 1983444 81700000
> >
> > I can't work out how to get either: one entry that indicates
> > the total sum of traffic across the flow (like the fourth line
> > above), or individual lines per transmit/receive that can be
> > summed to get the same results as the fourth line.

> Of course, there is a program that manages this much better than NeMaC; I
> just never bothered to figure out how to use it once I got the NeMaC post
> processor I wrote working.

fd_filter - part of the NeTraMet distribution, turn the cumulative counters
into absolute figures per sample.

Kevin Hoadley.

From netramet-owner Thu Apr 26 09:28:22 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA09540
for netramet-outgoing; Thu, 26 Apr 2001 09:21:16 +1200 (NZST)
Received: from correo2 ([157.238.87.78])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA09499
for <[email protected]>; Thu, 26 Apr 2001 09:21:05 +1200 (NZST)
Received: from qoslabs.com ([63.69.216.194])
by correo2.qoslabs.com (iPlanet Messaging Server 5.0 Patch 2 (built Dec 14
2000)) with SMTP id <[email protected]> for
[email protected]; Wed, 25 Apr 2001 17:21:15 -0400 (EDT)
Date: Wed, 25 Apr 2001 17:23:45 -0700
From: Sandra Salas <[email protected]>
Subject: fd_filter
To: Kevin Hoadley <[email protected]>
Cc: [email protected]
Reply-to: [email protected]
Message-id: <[email protected]>
Organization: QoSlabs
MIME-version: 1.0
X-Mailer: Mozilla 4.75 [en] (Win98; U)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Accept-Language: en
References: <[email protected]>
Sender: [email protected]
Precedence: bulk

Hi

I use the fd_filter and I am able to filter by SourcePeerAddress, but I
can't filter by DestPeerAddress
any idea what going on?

this is my fomat file :

Format:

TagNbr SourcePeerAddress DestPeerAddress ToPduRate FromPduRate ToOctetRate
Fro
mOctetRate;
Tag 1
SourcePeerAddress =10.1.1.1 ;

Tag 2
DestPeerAddress = 10.2.2.2 ;

thanks in advance.

From netramet-owner Mon Apr 30 11:56:06 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id LAA08894
for netramet-outgoing; Mon, 30 Apr 2001 11:50:36 +1200 (NZST)
Received: from dc01002.ems.riodata.de (officemail.riodata.de [62.16.139.22])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id LAA08851
for <[email protected]>; Mon, 30 Apr 2001 11:50:31 +1200 (NZST)
Received: from HOELSKEN (nb01162.mrf.riodata.de [192.168.2.26]) by dc01002.ems.riodata.de with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id J5L4M937; Mon, 30 Apr 2001 01:49:53 +0200
From: "Peter Hoelsken" <[email protected]>
To: <[email protected]>
Subject: Inactivity timeout = 3600 - still no noticeable effect
Date: Mon, 30 Apr 2001 01:44:00 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Sender: [email protected]
Precedence: bulk

I'm using NeTraMet 4.3 under FreeBSD, but have some problems understanding
the purpose of the Inactivity Timeout parameter.
My ruleset only saves the sourcepeeraddress and counts the octets of the
flows in order to account the total traffic generated by some servers. In
theory (and practice) the number of flows never grows bigger than 10 since
there are not more than 10 servers right now. With only 10 flows there
should be no memory problems, so I decided to raise the Inactivity Timeout
parameter to 1 hour (ultimately I wanted to go with a timeout of 24 hours).
But although the Meter's f-output shows "InactTime 3600", flows are
recovered far earlier than after 1 hour of inactivity (after about 10 or 20
minutes). I thought that a flow has to be inactive for more seconds than
given by InactTime and only after that period it could be recovered by the
garbage collector.

Is there a fundamental misunderstanding on my side? How can I make sure a
flow exists for at least 1 hour (or more)?

Regards,

Peter

From netramet-owner Mon Apr 30 21:17:30 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA11105
for netramet-outgoing; Mon, 30 Apr 2001 21:15:11 +1200 (NZST)
Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA11098
for <[email protected]>; Mon, 30 Apr 2001 21:15:09 +1200 (NZST)
Subject: flood mode!???
Date: Mon, 30 Apr 2001 11:14:35 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <[email protected]>
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
Thread-Topic: flood mode!???
Thread-Index: AcDRXluOiXsabD1FEdWewAABAiHO8Q==
From: "Knapp, Ralf" <[email protected]>
To: <[email protected]>
Sender: [email protected]
Precedence: bulk

My NeTraMet application should count every IP traffic and the rules
seems to work, but after a day or so the=20
reader is in ""flood mode""

here my settings.

NeTraMet -i ti0
-r 127.0.0.1
-w writer
-f 500000 //the number of flows
in the flow file are < 470 000

-u 10000
-b 20000
by the way what ist the differenz between TCP flow and stream??

NeMaC -c 60
-g 303
-e /config/myip.rules
-r /config/myip.rules
-p
-h 65
-F /flow=09
-L /log
Have I to set the inactivity timeout, like PeterHoelsken has done??

I need the information of flows every Minute, (c60) and these must have
the
SourceIP, destIP, SourcePort, destPort, bytesto , bytefrom...
By a script this flow file is saved every 5 Minutes and afer this time
all flows could be recovered by Netramet.
How can I configure this!!
It would be better if the flows were reset/recovered after every
collection.

Thanks for every e-mail

Sincerely=20

Ralf

=20