From netramet-owner Tue May 1 00:38:22 2001

From netramet-owner Tue May 1 00:38:22 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA23209
for netramet-outgoing; Tue, 1 May 2001 00:36:10 +1200 (NZST)
Received: from dc01002.ems.riodata.de (officemail.riodata.de [62.16.139.22])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA23203
for <[email protected]>; Tue, 1 May 2001 00:36:08 +1200 (NZST)
Received: from hoelsken ([172.16.5.161]) by dc01002.ems.riodata.de with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id J5L4M96M; Mon, 30 Apr 2001 14:35:36 +0200
From: "Peter Hoelsken" <[email protected]>
To: <[email protected]>
Subject: RE: Inactivity timeout = 3600 - still no noticeable effect
Date: Mon, 30 Apr 2001 14:29:42 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Sender: [email protected]
Precedence: bulk

Here's the rule file for my previous post, maybe that helps someone to
detect the error. As I said, although I never have more than 10 active flows
and Inactivity Timeout is set to 3600s (= 1 hour and yes it is set, I can
see it when I press "f"), flows get recovered far earlier than after 1 hour
(about 10 min or so). I can see the recovery in the flow file, because the
counters have been reset and firsttime has changed. What's going on here,
any ideas on your side?

regards

Peter

set 2;
format SourcePeerAddress ";" DestPeerAddress ";" FlowClass ";" ToOctets ";"
FromOctets ";" firsttime;

if SourcePeerType == IPv4 {
if SourcePeerAddress == 10.0.0.0/27 {
store FlowClass := 1;
save SourcePeerAddress;
count;
}
else if DestPeerAddress == 10.0.0.0/27 nomatch;
}
ignore;

Here's how I start the programs (they are located on the same machine):

/usr/local/bin/NeTraMet -i fxp0 -k -l -s -w secret
/usr/local/bin/NeMaC -b /home/netramet/mib.txt -c 300 -F
/home/netramet/flows -i 3600 -L /home/netramet/log -p -r
/home/netramet/rules.rules 127.0.0.1 secret

From netramet-owner Tue May 1 09:54:21 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA19138
for netramet-outgoing; Tue, 1 May 2001 09:52:16 +1200 (NZST)
Received: from nebbiolo.caida.org ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA19104;
Tue, 1 May 2001 09:52:08 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
Date: Mon, 30 Apr 2001 12:13:18 -0700
To: Peter Hoelsken <[email protected]>
Subject: Re: Inactivity timeout = 3600 - still no noticeable effect
Cc: [email protected]
In-Reply-To: <[email protected]>
References: <[email protected]>
Message-ID: <[email protected]>
Priority: NORMAL
X-Mailer: Execmail for Linux 5.1 Build (8) -- Evaluation Copy
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Sender: [email protected]
Precedence: bulk

Hello Peter:

> I'm using NeTraMet 4.3 under FreeBSD, but have some problems understanding
> the purpose of the Inactivity Timeout parameter.
> My ruleset only saves the sourcepeeraddress and counts the octets of the
> flows in order to account the total traffic generated by some servers. In
> theory (and practice) the number of flows never grows bigger than 10 since
> there are not more than 10 servers right now. With only 10 flows there
> should be no memory problems, so I decided to raise the Inactivity Timeout
> parameter to 1 hour (ultimately I wanted to go with a timeout of 24 hours).
> But although the Meter's f-output shows "InactTime 3600", flows are
> recovered far earlier than after 1 hour of inactivity (after about 10 or 20
> minutes). I thought that a flow has to be inactive for more seconds than
> given by InactTime and only after that period it could be recovered by the
> garbage collector.
>
> Is there a fundamental misunderstanding on my side? How can I make sure a
> flow exists for at least 1 hour (or more)?

What's supposed to happen (as per RFC 2722) is that a flow can't be
recovered until it's data has been read by every meter reader currently
collecting its data, AND it's been idle for InactivityTimeout seconds
after its data has been read.

1) You could try the latest beta version of NeTraMet, this is
NeTraMet44b9.tar.gz in the beta-versions directory on the
distribution sites.

2) You may have discovered an implementation bug. I'm away from work
just now, but will be back Monday 7 May. I'll have a look at this
then.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------N

From netramet-owner Tue May 1 09:59:51 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA20809
for netramet-outgoing; Tue, 1 May 2001 09:58:27 +1200 (NZST)
Received: from nebbiolo.caida.org ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA20751;
Tue, 1 May 2001 09:58:16 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
Date: Mon, 30 Apr 2001 12:19:25 -0700
To: [email protected]
Subject: re: NeTraMet and Mobile IPv6
Cc: [email protected]
In-Reply-To: <[email protected]>
References: <[email protected]>
Message-ID: <[email protected]>
Priority: NORMAL
X-Mailer: Execmail for Linux 5.1 Build (8) -- Evaluation Copy
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Sender: [email protected]
Precedence: bulk

Hello Imed:

> I want to know if NeTraMet can collect IPv6 packets especially those related
> to Mobility IPv6 (ICMPv6 packets, packets of binding update, etc.)
>
> Any information about NeTraMet and IPv6 are welcomed
>
> Tanks for the help

NeTraMet can certainly handle IPv6 packets - they have
sourcepeertype == IPv6
when you're writing SRL rulesets. UDP, TCP and ICMP should all work
as expetced.

However, since I don't have access to a network with IPv6 traffic on it,
I haven't been able to test the IPv6 implementation properly.
Does anyone else on the list have actual experience of using NeTraMet
on a v6 network? Or is there anyone who could provide a v6 testbed
for NeTraMet??

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------N

From netramet-owner Wed May 2 01:45:56 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA22091
for netramet-outgoing; Wed, 2 May 2001 01:41:42 +1200 (NZST)
Received: from marvin.axion.bt.co.uk (marvin.axion.bt.co.uk [132.146.16.82])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA22086
for <[email protected]>; Wed, 2 May 2001 01:41:40 +1200 (NZST)
From: [email protected]
Received: from cbtlipnt02.btlabs.bt.co.uk by marvin (local) with ESMTP;
Tue, 1 May 2001 13:55:00 +0100
Received: by cbtlipnt02.btlabs.bt.co.uk
with Internet Mail Service (5.5.2652.35) id <1PP9GQKG>;
Tue, 1 May 2001 13:54:17 +0100
Message-ID: <5104D4DBC598D211B5FE0000F8FE7EB20BB147A8@mbtlipnt02.btlabs.bt.co.uk>
To: [email protected]
Subject: Installing nifty
Date: Tue, 1 May 2001 13:50:30 +0100
X-Mailer: Internet Mail Service (5.5.2652.35)
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

hi,
i'm using NeTraMet v4.3 on FreeBSD v4.2. I understand that i won't
be able to install nifty if i don't have the Motif/lesstiff installed.
Recently i have found a openmotif v2.1.30 package, will that enable me to
install nifty? pls advise, thank you.

hong joo

From netramet-owner Wed May 2 01:54:37 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA22668
for netramet-outgoing; Wed, 2 May 2001 01:53:19 +1200 (NZST)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA22657;
Wed, 2 May 2001 01:53:11 +1200 (NZST)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA11931;
Tue, 1 May 2001 09:52:38 -0400 (EDT)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id JAA10765;
Tue, 1 May 2001 09:52:37 -0400 (EDT)
Received: from burgess.omaha.mitre.org ([129.83.21.39]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
GCNT7M00.KFO; Tue, 1 May 2001 09:52:34 -0400
From: "Burgess,David B." <[email protected]>
To: "Nevil Brownlee" <[email protected]>,
"Peter Hoelsken" <[email protected]>
Cc: <[email protected]>
Subject: RE: Inactivity timeout = 3600 - still no noticeable effect
Date: Tue, 1 May 2001 08:45:28 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <[email protected]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
Sender: [email protected]
Precedence: bulk

>
> 1) You could try the latest beta version of NeTraMet, this is
> NeTraMet44b9.tar.gz in the beta-versions directory on the
> distribution sites.

Nevil, et al,

I have recently built a NetBSD Package based on NeTraMet44b8.tar.gz. I'm
sure it would work fine with 44b9, but I wanted to make sure that the
package remains viable. As it turns out, the package system is in a code
freeze awaiting the release of NetBSD 1.5.1.

My request is to continue to make 44b8 available for people using NetBSD.
Once the code freeze for pkgsrc has been lifted, I will update the package
pointer to the new version and test the software.

On a note laterally related to the above and directly to another question I
just saw go by: NetBSD has KAME IPv6 integrated into the system and builds
flawlessly (and works flawlessly) on NetBSD versions 1.4.3 and above. I use
NeTraMet all of the time to track real-world usage on the systems I work on,
so I'm very familiar with the package and what you can do with it.

I'm planning on adding an IPv6 to my SRL so that I can track IPv6 traffic in
general. Since I run a mixed v4/v6 network, it would be a good testbed for
NeTraMet.

From netramet-owner Wed May 2 21:20:26 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA22882
for netramet-outgoing; Wed, 2 May 2001 21:15:43 +1200 (NZST)
Received: from gandalf.axion.bt.co.uk (gandalf.axion.bt.co.uk [132.146.17.29])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA22875
for <[email protected]>; Wed, 2 May 2001 21:15:41 +1200 (NZST)
From: [email protected]
Received: from cbtlipnt02.btlabs.bt.co.uk by gandalf (local) with ESMTP;
Wed, 2 May 2001 10:04:10 +0100
Received: by cbtlipnt02.btlabs.bt.co.uk
with Internet Mail Service (5.5.2652.35) id <1PP9HHMM>;
Wed, 2 May 2001 10:03:26 +0100
Message-ID: <5104D4DBC598D211B5FE0000F8FE7EB20BB147A9@mbtlipnt02.btlabs.bt.co.uk>
To: [email protected]
Subject: Installation problem
Date: Wed, 2 May 2001 09:59:38 +0100
X-Mailer: Internet Mail Service (5.5.2652.35)
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

hi..
I seem to have a problem with installing NeTraMetv4.3 on my FreeBSD
machine: I have the Motif libraries installed, but the configure script
can't find it. Does anyone knows the way to specify the path of my Motif
libraries in the configure script. Any ideas will be greatly appreciated.
Thanks

hong joo

From netramet-owner Sun May 13 04:26:58 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA12991
for netramet-outgoing; Sun, 13 May 2001 04:18:27 +1200 (NZST)
Received: from nis-master.office-mail.co.uk (nis-master.office-mail.co.uk [217.15.160.51])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA12981;
Sun, 13 May 2001 04:18:24 +1200 (NZST)
From: [email protected]
Received: from localhost (localhost [127.0.0.1])
by nis-master.office-mail.co.uk (Postfix) with SMTP
id A6CE51D632; Sat, 12 May 2001 17:12:48 +0100 (BST)
To: [email protected]
Cc: [email protected]
subject: Monitoring and reporting network usage
Message-Id: <[email protected]>
Date: Sat, 12 May 2001 17:12:48 +0100 (BST)
Sender: [email protected]
Precedence: bulk

Hi there,

Apologies in advance if the cross-posting is not appropriate.
I am looking for some advice on monitoring and reporting network
usage. I am currently running a FreeBSD box with an application
called 'Snuffle' to produce reports as to how much traffic is
going to each of the hosts on my network.

Recently we have spotted that not all the traffic is getting
logged (with the biggest example being that we seemed to miss every
packet of a 1.5Gb upload last week) and so I have now decided to
look elsewhere for this kind of application.

Will NeTraMet be able to log the network usage for each of
the IPs on my network? If this is not be best choice in application,
has anyone got any other suggestions?

I mentioned that I am using FreeBSD. The reason for this is
that I was once told the *BSD operating systems have a better packet
capturing library. When I ported the snuffle code to Linux it
seemed to miss a lot of the traffic. Does anyone have any
advice as to an appropriate operating system for packet capture?

Thanks in advance,

--
Sean Kelly

From netramet-owner Wed May 16 23:31:43 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA15792
for netramet-outgoing; Wed, 16 May 2001 23:26:56 +1200 (NZST)
Received: from clienti.promo.ro (IDENT:root@[194.102.177.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id XAA15785
for <[email protected]>; Wed, 16 May 2001 23:26:54 +1200 (NZST)
Received: from promo.ro (vnt.producton.ro [194.102.177.80])
by clienti.promo.ro (8.11.2/8.8.7) with ESMTP id f4GBQLC13645
for <[email protected]>; Wed, 16 May 2001 14:26:21 +0300
Message-ID: <[email protected]>
Date: Wed, 16 May 2001 14:34:20 +0300
From: Ciprian Niculescu <[email protected]>
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: how to configure
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

i can't get netramet running, can someone help me with more detailed
informations, the steps to do....

Thanks

C
--
Ciprian Niculescu
Network Engineer
Producton S.R.L.

From netramet-owner Thu May 17 01:50:43 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA24829
for netramet-outgoing; Thu, 17 May 2001 01:48:28 +1200 (NZST)
Received: from clienti.promo.ro (IDENT:root@[194.102.177.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA24824
for <[email protected]>; Thu, 17 May 2001 01:48:25 +1200 (NZST)
Received: from promo.ro (vnt.producton.ro [194.102.177.80])
by clienti.promo.ro (8.11.2/8.8.7) with ESMTP id f4GDlqx11801;
Wed, 16 May 2001 16:47:52 +0300
Message-ID: <[email protected]>
Date: Wed, 16 May 2001 16:55:49 +0300
From: Ciprian Niculescu <[email protected]>
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Knapp, Ralf" <[email protected]>, [email protected]
Subject: Re: AW: how to configure
References: <[email protected]>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

oops sorry, i've got a lot to work and i've forgot.

So: the sistem is Linux Redhat 7.1, i've installed Netramet 4.3.
i've runed: Netramet -D. it started to listen on the snmp port
i've runed: Netmac -r rules.default, and with ohter ones, it do
something.
i've tryed nifty too, and i do some graphics.

but i don't understand how i'll do the statistics, the graphs......

so it's not something technical it's more conceptual, what i do with
what to get what i want.

What i want: to get informations on how much data each host is
sending/getting, the bandwidth used.

C

"Knapp, Ralf" wrote:
>
> Some more informations were nice...
>
> -System on which you wanna run the program?
> OS, Interface, what have you installed (version)
>
> -a definition of what goes and what doesn�t
>
> Ralf

--
Ciprian Niculescu
Network Engineer
Producton S.R.L.

From netramet-owner Thu May 17 03:52:04 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA01832
for netramet-outgoing; Thu, 17 May 2001 03:49:54 +1200 (NZST)
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA01825
for <[email protected]>; Thu, 17 May 2001 03:49:51 +1200 (NZST)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
by smtpproxy1.mitre.org (8.9.3/8.9.3) with ESMTP id LAA28780
for <[email protected]>; Wed, 16 May 2001 11:49:19 -0400 (EDT)
Received: from mailsrv1.mitre.org (mailsrv1.mitre.org [129.83.20.6])
by smtpsrv1.mitre.org (8.9.3/8.9.3) with ESMTP id LAA11249
for <[email protected]>; Wed, 16 May 2001 11:49:18 -0400 (EDT)
Received: from burgess.omaha.mitre.org ([129.83.21.82]) by
mailsrv1.mitre.org (Netscape Messaging Server 4.15) with SMTP id
GDFQM300.OFX; Wed, 16 May 2001 11:49:15 -0400
From: "Burgess,David B." <[email protected]>
To: "Ciprian Niculescu" <[email protected]>
Cc: "Netramet@Auckland. Ac. Nz" <[email protected]>
Subject: RE: AW: how to configure
Date: Wed, 16 May 2001 10:41:47 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
In-Reply-To: <[email protected]>
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Ciprian Niculescu
> Sent: Wednesday, May 16, 2001 8:56 AM
> To: Knapp, Ralf; [email protected]
> Subject: Re: AW: how to configure
>
>
> oops sorry, i've got a lot to work and i've forgot.
>

Not to worry - just remember that we are also busy people. :-)

> So: the sistem is Linux Redhat 7.1, i've installed Netramet 4.3.
> i've runed: Netramet -D. it started to listen on the snmp port
> i've runed: Netmac -r rules.default, and with ohter ones, it do
> something.
> i've tryed nifty too, and i do some graphics.
>
> but i don't understand how i'll do the statistics, the graphs......

NeTraMet is the Meter - it just collects the information.
NeMaC is the Meter Reader - it reads the meter and categorizes the
information so that you can make sense of it. For example, I wrote a PERL
script that looks at the consolidated meter output from NeMaC and builds a
monthly report of how much network traffic each of my customers is
generating.

So, there are three pieces - the meter (which you probably have running) and
the reader (which you run to turn the data into something that resembles
information) and the interpreter (which you will probably need to write).

>From there, you need to decide what kind of information and how much
information you are interested in. You also need to figure out how you want
it displayed. To start, 'nifty' is a good program to give you an idea of
how to do real-time data monitoring (even though I can't seem to get it to
work corectly here) but there are *SO* many other ways to do what nify does.

If nothing else, use a good SNMP client to get to the information out. Have
fun.

Dave

>
> so it's not something technical it's more conceptual, what i do with
> what to get what i want.
>
> What i want: to get informations on how much data each host is
> sending/getting, the bandwidth used.
>
> C
>
> "Knapp, Ralf" wrote:
> >
> > Some more informations were nice...
> >
> > -System on which you wanna run the program?
> > OS, Interface, what have you installed (version)
> >
> > -a definition of what goes and what doesn�t
> >
> > Ralf
>
> --
> Ciprian Niculescu
> Network Engineer
> Producton S.R.L.
>

From netramet-owner Thu May 17 20:12:12 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id UAA14264
for netramet-outgoing; Thu, 17 May 2001 20:08:49 +1200 (NZST)
Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id UAA14259
for <[email protected]>; Thu, 17 May 2001 20:08:47 +1200 (NZST)
Subject: WG: solution?!! with some problems!! (which host produces, when, how much traffic)
Date: Thu, 17 May 2001 10:08:14 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <[email protected]>
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
Content-Class: urn:content-classes:message
Thread-Topic: AW: how to configure
Thread-Index: AcDeV9lEyL7nTJ26TaWe4VWF4wjFcAAUioBgAAGyzQA=
From: "Knapp, Ralf" <[email protected]>
To: <[email protected]>
Sender: [email protected]
Precedence: bulk

dear netramet-users,
dear network-administrators,

> For example, I wrote a PERL
>script that looks at the consolidated meter output from NeMaC and
builds a
>monthly report of how much network traffic each of my customers is
>generating.

I=B4ve wrote a script ,too but have some problems....perhaps you have =
some
hints..
or could your way of accounting the traffic.

I use Netramet 3.4 on FreeBSD 4.2

On an GigabitNIC pluged into an span port of a switch I collect every
traffic.
so far no problem..

- Every minute the reader writes into the flow-files, (-c60)=20
- every 5 minutes I collect the flow-files (-p) and save them
=20
-> the 'older'-flows(10 Minutes old) with the 'newer'-flows (5 minutes
old) were used with "fd_filter" to
get the 'real' traffic in bytes during one minute (-c60) in a
5Minute file ( my script which computes every 5 minutes)
=20
-->> what I get are files with the informations
=20
Timestamp(every minute), SourceIP, SourcePort, DestIP, DestPort,
TO_bytes (during the minute), From_bytes(during the minute)=20

These files were importet by a SQL DB and so I can ACCOUNTING and LOGING
all the Traffic in the network.

BUT
- sometimes in the logfiles ---"No response"--- messages appears WHY
?? WHATS going wrong.=20

-> my solution if "NO response" then restart meter and reader MORE
SOLUTIONS??
so the traffic I loose is just one minute=20
=20

- sometimes there are --- Null Byte files --- created by the "fd_filter"
operation, but I don=B4t see there any reason
the time when they were produced has nothing to do with the -- "no
response"-- messages

- the processing of my script (bash/perl) every 5 minutes loads the CPU
so much for ~30 sec that I can=B4t compute other things else
but on the system there is a firwall/gateway running, too...and all
traffic flows through it and that seems to work correctly.

SUMMARY
Does someone knows the reason for the "no response" messages??
or the "NullByte" files??

How does you the accounting....and the logging, because i=B4m certain =
not
the only one who wants to know=20

___which____ host produces=20
___how much___ traffic=20
___with ___which other hosts and
___when___ he does this.

our customers don=B4t only want to know what they have to pay, they want
to know why, too

For any hint, solution or even some words .......thanks

Ralf

=20

From netramet-owner Thu May 17 20:20:30 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id UAA15083
for netramet-outgoing; Thu, 17 May 2001 20:19:07 +1200 (NZST)
Received: from earth ([203.197.156.180])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id UAA15051;
Thu, 17 May 2001 20:18:43 +1200 (NZST)
Received: from [127.0.0.1] by earth
(ArGoSoft Mail Server Plus, Version 1.6 (1.6.0.0)); Thu, 17 May 2001 13:43:46 +0530
Message-ID: <[email protected]>
Date: Thu, 17 May 2001 13:43:39 +0530
From: balaji <[email protected]>
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
CC: [email protected], [email protected]
Subject: Problem with NeMac..
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi,
I am using NeTraMet version 4.3 in Red Hat Linux 6.1 version.I am trying
to use NeTraMet inside our LAN Network.If I try to ping the Host
200.201.202.113 from the host 200.201.202.110 using the following rule
file, I couldn't able to get the network flow.
I am using the subnet mask 255.255.255.0 and meter is running in Host
200.201.202.113.

here by I am appending the rule file and the report.

please notify me if there is any wrong in my rule file.

with regards,
balaji.

########################################################
Rule file

SET 2

RULES
DestPeerType & 255 = IP: Pushto, Ip_pkt;
Null & 0 = 0: Ignore, 0;

IP_pkt:
SourcePeerAddress & 255.255.255.255 = 200.201.202.110 : GotoAct,
InTheNet;
DestPeerAddress & 255.255.255.0= 200.201.202.113 : GotoAct,
InTheNet;
Null & 0 = 0 : Ignore, 0;
InTheNet:
SourcePeerAddress & 255 = 0: PushPkttoAct, Next;
DestPeerAddress & 255 = 0: PushPkttoAct, count_pkt;

count_pkt:
Null & 0 = 0: Count, 0; # Source and Dest Peer Address pushed above

STATISTICS
#
FORMAT FlowRuleSet FlowIndex FirstTime " " SourcePeerType
SourcePeerAddress DestPeerAddress " "
ToPDUs FromPDUs ToOctets FromOctets;
#
# end of file

###########################################################

Report file

##NeTraMet v4.3: -c120 -r
/home/balaji/ntm/NeTraMet43/examples/rules.pingexam asteroid eth0
10000 flows starting at 13:09:07 Thu 17 May 2001
#Format: flowruleset flowindex firsttime sourcepeertype
sourcepeeraddress destpeeraddress topdus frompdus tooctets fromoctets
#Time: 13:09:07 Thu 17 May 2001 asteroid Flows from 0 to 4117
#Ruleset: 4 2 /home/balaji/ntm/NeTraMet43/examples/rules.pingexam
NeMaC
#Stats: aps=7 apb=0 mps=16 mpb=0 lsp=0 avi=99.9 mni=98.9 fiu=2 frc=0
gci=10 rpp=2.0 tpp=1.0 cpt=1.0 tts=8191 tsu=0
#EndData: asteroid
#Time: 13:10:00 Thu 17 May 2001 asteroid Flows from 4116 to 9423
#Stats: aps=9 apb=0 mps=82 mpb=0 lsp=0 avi=99.7 mni=97.0 fiu=2 frc=0
gci=10 rpp=4.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: asteroid
#Time: 13:12:00 Thu 17 May 2001 asteroid Flows from 9422 to 21430
#Stats: aps=8 apb=0 mps=24 mpb=0 lsp=0 avi=99.8 mni=98.0 fiu=2 frc=0
gci=10 rpp=4.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: asteroid
#############################################################

From netramet-owner Sat May 19 23:31:17 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA19269
for netramet-outgoing; Sat, 19 May 2001 23:25:47 +1200 (NZST)
Received: from ncc-consulting.de (mailsrv.ncc-consulting.de [213.68.34.137])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id XAA19264
for <[email protected]>; Sat, 19 May 2001 23:25:45 +1200 (NZST)
Received: (qmail 21555 invoked from network); 19 May 2001 11:25:58 -0000
Received: from pec-8-73.tnt3.m2.uunet.de (HELO ncc-consulting.de) (149.225.8.73)
by mailsrv.ncc-consulting.de with SMTP; 19 May 2001 11:25:58 -0000
Message-ID: <[email protected]>
Date: Sat, 19 May 2001 13:25:02 +0200
From: Valentin Saca <[email protected]>
X-Mailer: Mozilla 4.6 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: SNMP-Community ?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello everybody,

I have installed NeTraMet on my computer and now I tried to access the
meter with NeMac. I get the response that I don't have write access to
the community. I searched for config-files to set/reset the community
password but I didn't find anyone. If you now the answer to this problem
please send me the solution.

Thank you very much

Valentin

From netramet-owner Tue May 22 18:20:29 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id SAA11875
for netramet-outgoing; Tue, 22 May 2001 18:15:27 +1200 (NZST)
Received: from lgw01.officeinfo.com.au (lgw01.officeinfo.com.au [203.13.35.91])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id SAA11867
for <[email protected]>; Tue, 22 May 2001 18:15:24 +1200 (NZST)
Received: from per-oia-dc-01.int.officeinfo.com.au (localhost [127.0.0.1])
by lgw01.officeinfo.com.au (8.9.3/8.9.3) with ESMTP id OAA17663
for <[email protected]>; Tue, 22 May 2001 14:14:52 +0800
Received: by per-oia-dc-01.int.officeinfo.com.au with Internet Mail Service (5.5.2650.21)
id <LFCYFJ3Y>; Tue, 22 May 2001 14:14:50 +0800
Message-ID: <F84C8F6293472D4DB5C8BF3E0C573D231939B6@per-oia-dc-01.int.officeinfo.com.au>
From: Colin Manning <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: Quickstart hints for a newbie?
Date: Tue, 22 May 2001 14:14:49 +0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0E286.821389EC"
Sender: [email protected]
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0E286.821389EC
Content-Type: text/plain;
charset="iso-8859-1"

Hi All,

I'm trying to install NeTraMet 4.3 on RedHat Linux 7.0.
I've configured, compiled and installed libpcap 0.4 and NeTraMet 4.3 both
from source.

nifty won't compile because ./configure returns :
--Snip--
checking for IceConnectionNumber in -lICE... yes
checking for XmStringFree in -lXm... no
checking for Xm/XmStrDefs.h using X_CFLAGS... no
>>>>> Motif not found: won't be able to build nifty
checking for ANSI C header files... yes

--Snip--

I'm running XFree86-4.0.1 - is there a way around this - configure can't
find libXm.so (because it does not exist).

Apart from that NeTraMet and NeMaC appear to run. If I run start like this:
NeTraMet -r test1 -w test2
NeMaC -c120 -r rules.lan 192.168.0.93 test2

I get :
NeTraMet: Network Meter v4.3
Running on per-oia-lx-crm.int.officeinfo.com.au, interface eth0
1400:42 ri[5]: '7', 25 rules
1400:42 ri[5]: '7', rhss = 10
1400:42 Manager 10, Current set 5
1400:42 '7' flows read by NeMaC
Statistics Zeroed

1402:00 '7' flows read by NeMaC
Statistics Zeroed

So I assume the processes are communicating, but how do I review the
results?

The IP address of the PC running NeTraMet and NeMaC is 192.168.0.93

The flow file contains:
##NeTraMet v4.3: -c120 -r rules.lan 192.168.0.93 eth0 10000 flows
starting at 14:00:42 Tue 22 May 2001
#Format: flowruleset flowindex firsttime sourcepeertype sourcepeeraddress
destpeeraddress sourcetranstype sourcetransaddress desttransaddress topdus
frompdus tooctets fromoctets
#Time: 14:00:42 Tue 22 May 2001 192.168.0.93 Flows from 0 to 315
#Ruleset: 5 7 rules.lan NeMaC
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93
#Time: 14:02:00 Tue 22 May 2001 192.168.0.93 Flows from 314 to 8122
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93
#Time: 14:04:00 Tue 22 May 2001 192.168.0.93 Flows from 8121 to 20129
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93

Now for the question - What am I doing wrong?
Is there a quickstart somewhere - All I want to do is see the numbers click
over.

Colin Manning.
Systems Consultant
Office Information Australia

Telephone: +618 9223 1700
Facsimile: +618 9325 9938
Mobile: 0412 384 242
E-Mail: [email protected]

The information contained in this electronic transmission is confidential.
If you are not the intended recipient of this transmission, use of this
information is strictly prohibited. If you have received this transmission
in error, please contact Office Information Australia on +618 9223 1700.

------_=_NextPart_001_01C0E286.821389EC
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>Quickstart hints for a newbie?</TITLE>
</HEAD>
<BODY>

Hi All,


I'm trying to install NeTraMet 4.3 on =
RedHat Linux 7.0.
 I've configured, compiled and =
installed libpcap 0.4 and NeTraMet 4.3 both from source.


nifty won't compile because =
/configure returns :
 --Snip--
 checking for IceConnectionNumber in =
-lICE... yes
 checking for XmStringFree in -lXm... =
no
 checking for Xm/XmStrDefs.h using =
X_CFLAGS... no
 >>>>> Motif not found: =
won't be able to build nifty
 checking for ANSI C header files... =
yes           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;      

--Snip--


I'm running XFree86-4.0.1 - is there a =
way around this - configure can't find libXm.so (because it does not =
exist).


Apart from that NeTraMet and NeMaC =
appear to run. If I run start like this:
 NeTraMet -r test1 -w test2 
 NeMaC -c120 -r rules.lan 192.168.0.93 =
test2 


I get :
 NeTraMet: Network Meter v4.3
 Running on =
per-oia-lx-crm.int.officeinfo.com.au, interface eth0
 1400:42  ri[5]: '7', 25 =
rules
 1400:42  ri[5]: '7', rhss =3D =
10
 1400:42  Manager 10, Current set =
5
 1400:42  '7' flows read by =
NeMaC
   Statistics =
Zeroed           =
            =
            =
            =
            =
  
 1402:00  '7' flows read by =
NeMaC
   Statistics =
Zeroed           =
            =
            =
            =
            =
  


So I assume the processes are =
communicating, but how do I review the results?


The IP address of the PC running =
NeTraMet and NeMaC is 192.168.0.93


The flow file contains:
 ##NeTraMet v4.3:  -c120 -r =
rules.lan  192.168.0.93 eth0  10000 flows  starting at =
14:00:42 Tue 22 May 2001
 #Format: flowruleset flowindex =
firsttime  sourcepeertype sourcepeeraddress destpeeraddress  =
sourcetranstype sourcetransaddress desttransaddress  topdus =
frompdus  tooctets fromoctets

#Time: 14:00:42 Tue 22 May 2001 =
192.168.0.93 Flows from 0 to 315
 #Ruleset: 5  7 rules.lan  =
NeMaC
 #Stats: aps=3D0 apb=3D0 mps=3D0 =
mpb=3D0 lsp=3D0 avi=3D99.9 mni=3D100.0 fiu=3D0 frc=3D0 gci=3D10 =
rpp=3D0.0 tpp=3D0.0 cpt=3D0.0 tts=3D8191 tsu=3D0
 #EndData: 192.168.0.93
 #Time: 14:02:00 Tue 22 May 2001 =
192.168.0.93 Flows from 314 to 8122
 #Stats: aps=3D0 apb=3D0 mps=3D0 =
mpb=3D0 lsp=3D0 avi=3D99.9 mni=3D100.0 fiu=3D0 frc=3D0 gci=3D10 =
rpp=3D0.0 tpp=3D0.0 cpt=3D0.0 tts=3D8191 tsu=3D0
 #EndData: 192.168.0.93
 #Time: 14:04:00 Tue 22 May 2001 =
192.168.0.93 Flows from 8121 to 20129
 #Stats: aps=3D0 apb=3D0 mps=3D0 =
mpb=3D0 lsp=3D0 avi=3D99.9 mni=3D100.0 fiu=3D0 frc=3D0 gci=3D10 =
rpp=3D0.0 tpp=3D0.0 cpt=3D0.0 tts=3D8191 tsu=3D0
 #EndData: 192.168.0.93


Now for the question - What am I doing =
wrong?
 Is there a quickstart somewhere - All =
I want to do is see the numbers click over.


Colin =
Manning. 
Systems =
Consultant 
Office Information =
Australia 


Telephone: +618 9223 =
1700 
Facsimile: +618 9325 =
9938 
Mobile: 0412 384 =
242 
E-Mail: [email protected]=20


The information =
contained in this electronic transmission is confidential. 
If you are not the =
intended recipient of this transmission, use of this =
information is strictly prohibited. If you have received this =
transmission in error, please contact Office Information Australia on +618 9223 =
1700.

</BODY>
</HTML>
------_=_NextPart_001_01C0E286.821389EC--

From netramet-owner Tue May 22 21:46:36 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA21660
for netramet-outgoing; Tue, 22 May 2001 21:44:28 +1200 (NZST)
Received: from lgw01.officeinfo.com.au (lgw01.officeinfo.com.au [203.13.35.91])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA21652
for <[email protected]>; Tue, 22 May 2001 21:44:25 +1200 (NZST)
Received: from per-oia-dc-01.int.officeinfo.com.au (localhost [127.0.0.1])
by lgw01.officeinfo.com.au (8.9.3/8.9.3) with ESMTP id RAA14574
for <[email protected]>; Tue, 22 May 2001 17:43:53 +0800
Received: by per-oia-dc-01.int.officeinfo.com.au with Internet Mail Service (5.5.2650.21)
id <LFCYFJRM>; Tue, 22 May 2001 17:43:52 +0800
Message-ID: <F84C8F6293472D4DB5C8BF3E0C573D231939B7@per-oia-dc-01.int.officeinfo.com.au>
From: Colin Manning <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: RE: Quickstart hints for a newbie?
Date: Tue, 22 May 2001 17:43:51 +0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0E2A3.B57C6930"
Sender: [email protected]
Precedence: bulk

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0E2A3.B57C6930
Content-Type: text/plain;
charset="iso-8859-1"

Hmm...
Compiled 44b10 and now the flow file gets populated.

Still leaves the question "Can I use nifty with XFree86-4.0?"

Thanks in advance,

Colin Manning.
Systems Consultant
Office Information Australia

Telephone: +618 9223 1700
Facsimile: +618 9325 9938
Mobile: 0412 384 242
E-Mail: [email protected]

The information contained in this electronic transmission is confidential.
If you are not the intended recipient of this transmission, use of this
information is strictly prohibited. If you have received this transmission
in error, please contact Office Information Australia on +618 9223 1700.

-----Original Message-----
From: Colin Manning [mailto:[email protected]]
Sent: Tuesday, 22 May 2001 2:15 PM
To: '[email protected]'
Subject: Quickstart hints for a newbie?

Hi All,

I'm trying to install NeTraMet 4.3 on RedHat Linux 7.0.
I've configured, compiled and installed libpcap 0.4 and NeTraMet 4.3 both
from source.

nifty won't compile because ./configure returns :
--Snip--
checking for IceConnectionNumber in -lICE... yes
checking for XmStringFree in -lXm... no
checking for Xm/XmStrDefs.h using X_CFLAGS... no
>>>>> Motif not found: won't be able to build nifty
checking for ANSI C header files... yes

--Snip--

I'm running XFree86-4.0.1 - is there a way around this - configure can't
find libXm.so (because it does not exist).

Apart from that NeTraMet and NeMaC appear to run. If I run start like this:
NeTraMet -r test1 -w test2
NeMaC -c120 -r rules.lan 192.168.0.93 test2

I get :
NeTraMet: Network Meter v4.3
Running on per-oia-lx-crm.int.officeinfo.com.au, interface eth0
1400:42 ri[5]: '7', 25 rules
1400:42 ri[5]: '7', rhss = 10
1400:42 Manager 10, Current set 5
1400:42 '7' flows read by NeMaC
Statistics Zeroed

1402:00 '7' flows read by NeMaC
Statistics Zeroed

So I assume the processes are communicating, but how do I review the
results?

The IP address of the PC running NeTraMet and NeMaC is 192.168.0.93

The flow file contains:
##NeTraMet v4.3: -c120 -r rules.lan 192.168.0.93 eth0 10000 flows
starting at 14:00:42 Tue 22 May 2001
#Format: flowruleset flowindex firsttime sourcepeertype sourcepeeraddress
destpeeraddress sourcetranstype sourcetransaddress desttransaddress topdus
frompdus tooctets fromoctets

#Time: 14:00:42 Tue 22 May 2001 192.168.0.93 Flows from 0 to 315
#Ruleset: 5 7 rules.lan NeMaC
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93
#Time: 14:02:00 Tue 22 May 2001 192.168.0.93 Flows from 314 to 8122
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93
#Time: 14:04:00 Tue 22 May 2001 192.168.0.93 Flows from 8121 to 20129
#Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
#EndData: 192.168.0.93

Now for the question - What am I doing wrong?
Is there a quickstart somewhere - All I want to do is see the numbers click
over.

Colin Manning.
Systems Consultant
Office Information Australia

Telephone: +618 9223 1700
Facsimile: +618 9325 9938
Mobile: 0412 384 242
E-Mail: [email protected]

The information contained in this electronic transmission is confidential.
If you are not the intended recipient of this transmission, use of this
information is strictly prohibited. If you have received this transmission
in error, please contact Office Information Australia on +618 9223 1700.

------_=_NextPart_001_01C0E2A3.B57C6930
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>Quickstart hints for a newbie?</TITLE>

<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN=20
class=3D513533909-22052001>Hmm...</DIV>
<DIV><SPAN=20
class=3D513533909-22052001>Compiled 44b10 and now the flow file gets=20
populated.</DIV>
<DIV><SPAN=20
class=3D513533909-22052001> </DIV>
<DIV>Still=20
leaves the question "Can I use nifty with =
XFree86-4.0?"</DIV>
<DIV><SPAN=20
class=3D513533909-22052001> </DIV>
<DIV><SPAN=20
class=3D513533909-22052001> </DIV>
<DIV>Thanks=20
in advance,</DIV>
<DIV> </DIV>
Colin =
Manning. <FONT=20
face=3DArial color=3D#008080 size=3D2>Systems =
Consultant Office Information Australia 
Telephone: +618 9223=20
1700 Facsimile: =
+618 9325=20
9938 Mobile: 0412 =
384=20
242 E-Mail:=20
[email protected] 
The information =
contained in this=20
electronic transmission is confidential. If you are=20
not the intended recipient of this transmission, use of this=20
information =
is strictly prohibited. If you have received =
this=20
transmission in error, please contact =
Office Information=20
Australia on +618 9223 1700.
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft>-----Original Message----- From: Colin Manning=20
[mailto:[email protected]] Sent: Tuesday, 22 May =
2001 2:15=20
PM To: '[email protected]' Subject: =
Quickstart hints=20
for a newbie? </DIV>
Hi All, 
I'm trying to install NeTraMet 4.3 on =
RedHat Linux=20
7.0. I've configured, compiled =
and=20
installed libpcap 0.4 and NeTraMet 4.3 both from source. 
nifty won't compile because =
/configure returns=20
: --Snip-- checking for IceConnectionNumber in -lICE... yes =
 <FONT=20
face=3DArial size=3D2>checking for XmStringFree in -lXm... no =
 <FONT=20
face=3DArial size=3D2>checking for Xm/XmStrDefs.h using X_CFLAGS... =
no=20
 >>>>> Motif not found: =
won't be=20
able to build nifty checking =
for ANSI C=20
header files...=20
=
yes           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;           &nb=
sp;     =20

--Snip-- 
I'm running XFree86-4.0.1 - is there a =
way around=20
this - configure can't find libXm.so (because it does not =
exist). 
Apart from that NeTraMet and NeMaC =
appear to run.=20
If I run start like this: NeTraMet -r test1=20
-w test2 NeMaC -c120 -r =
rules.lan=20
192.168.0.93 test2 
I get : NeTraMet: Network Meter v4.3 Running=20
on per-oia-lx-crm.int.officeinfo.com.au, interface eth0 =
 <FONT=20
face=3DArial size=3D2>1400:42  ri[5]: '7', 25 rules =
 <FONT=20
face=3DArial size=3D2>1400:42  ri[5]: '7', rhss =3D 10 =
 <FONT=20
face=3DArial size=3D2>1400:42  Manager 10, Current set 5 =
 <FONT=20
face=3DArial size=3D2>1400:42  '7' flows read by NeMaC =
 <FONT=20
face=3DArial size=3D2>  Statistics=20
=
Zeroed           =
            =
            =
            =
            =
 =20
 1402:00  '7' flows read =
by=20
NeMaC   Statistics=20
=
Zeroed           =
            =
            =
            =
            =
 =20

So I assume the processes are =
communicating, but=20
how do I review the results? 
The IP address of the PC running =
NeTraMet and NeMaC=20
is 192.168.0.93 
The flow file contains: =
 ##NeTraMet v4.3:  -c120 -r rules.lan  192.168.0.93 =
eth0 =20
10000 flows  starting at 14:00:42 Tue 22 May 2001 =
 <FONT=20
face=3DArial size=3D2>#Format: flowruleset flowindex firsttime =20
sourcepeertype sourcepeeraddress destpeeraddress  =
sourcetranstype=20
sourcetransaddress desttransaddress  topdus frompdus  =
tooctets=20
fromoctets
#Time: 14:00:42 Tue 22 May 2001 =
192.168.0.93 Flows=20
from 0 to 315 #Ruleset: =
5  7=20
rules.lan  NeMaC #Stats: =
aps=3D0 apb=3D0=20
mps=3D0 mpb=3D0 lsp=3D0 avi=3D99.9 mni=3D100.0 fiu=3D0 frc=3D0 =
gci=3D10 rpp=3D0.0 tpp=3D0.0=20
cpt=3D0.0 tts=3D8191 tsu=3D0 #EndData:=20
192.168.0.93 #Time: 14:02:00 =
Tue 22 May=20
2001 192.168.0.93 Flows from 314 to 8122 #Stats: aps=3D0 apb=3D0 mps=3D0 mpb=3D0 lsp=3D0 avi=3D99.9 =
mni=3D100.0 fiu=3D0 frc=3D0=20
gci=3D10 rpp=3D0.0 tpp=3D0.0 cpt=3D0.0 tts=3D8191 tsu=3D0 =
 #EndData: 192.168.0.93 #Time:=20
14:04:00 Tue 22 May 2001 192.168.0.93 Flows from 8121 to 20129 =

 #Stats: aps=3D0 apb=3D0 mps=3D0 =
mpb=3D0 lsp=3D0 avi=3D99.9=20
mni=3D100.0 fiu=3D0 frc=3D0 gci=3D10 rpp=3D0.0 tpp=3D0.0 cpt=3D0.0 =
tts=3D8191 tsu=3D0=20
 #EndData: 192.168.0.93 
Now for the question - What am I doing =

wrong? Is there a quickstart =
somewhere -=20
All I want to do is see the numbers click over. 
Colin =
Manning. <FONT=20
face=3DArial color=3D#008080 size=3D2>Systems =
Consultant Office Information Australia 
Telephone: +618 9223=20
1700 Facsimile: =
+618 9325=20
9938 Mobile: =
0412 384=20
242 E-Mail:=20
[email protected] 
The information =
contained in this=20
electronic transmission is confidential. If you are=20
not the intended recipient of this transmission, use of this=20
information =
<FONT=20
face=3DArial color=3D#008080 size=3D1>is strictly prohibited. If you =
have received=20
this transmission in error, please contact =
Office=20
Information Australia on +618 9223=20
1700.</BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C0E2A3.B57C6930--

From netramet-owner Wed May 23 00:15:22 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA01818
for netramet-outgoing; Wed, 23 May 2001 00:13:16 +1200 (NZST)
Received: from wi3x05.informatik.uni-wuerzburg.de ([email protected] [132.187.106.5])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id AAA01805
for <[email protected]>; Wed, 23 May 2001 00:13:14 +1200 (NZST)
Received: (qmail 17316 invoked from network); 22 May 2001 12:12:48 -0000
Received: from wi3d28.informatik.uni-wuerzburg.de (HELO MUSA.informatik.uni-wuerzburg.de) (132.187.106.128)
by wi3x05.informatik.uni-wuerzburg.de with SMTP; 22 May 2001 12:12:48 -0000
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Tue, 22 May 2001 11:12:27 -0100
To: [email protected], [email protected]
From: Kurt Tutschku <[email protected]>
Subject: Flowtime distribution and distribution-valued attributes
Cc: [email protected]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: [email protected]
Precedence: bulk

Dear NeTraMet and RTFM community,

I'm looking for more information respectively for experience with the
new "distribution-valued" attributes as defined in RFC 2724.
Particular , I'd like to measure the "Flowtime distribution" of certain
applications.

In detail, I have the following questions:

a) Specifying Distributions:
---------------------------------------
To clarify my view: when using the logarithmic transformation, as defined
in Section 3.2 of RFC 2724, the upper limits of each bucket are
defined as:

upper_limit_of_bucket_i = lower_limit * m^(i-1)

with

m = (upper_limit/lower_limit)^(1/(number_of_buckets-1))

where:
"lower_limit": highest value for the first bucket
"upper_limit": is the highest value for the last bucket
"number_of_buckets": Number of buckets; does not include the
'overflow' bucket.

Is this correct?

b) Flows and Streams:
---------------------------------

The new release of the NeTraMet meter is able to identify "Streams" in
"Flows" , see
also Nevil Brownlee's new paper "Streams, Flows and Torrents", cf. [1].

I'm using NeTraMet Version 44b9
My questions is, has any one experience in the determination of
"StreamLastTime" and the tuning the variable "Interval" (which defines
the end of a
"Stream")?

Where can I find the compile-time variables for "InactTime" and
"TimeMultiplier" in NeTraMet?

During my tests with the "Flowtime" distribution attribute, sometimes
the distribution
was empty (that means only a single "0" as output for the complete
distribution) and
sometime the distribution contained values.
Thus, here my question is, when is the distribution updated by the
meter? And when are
the values printed/accessable?

Literature:
[1] Nevil Brownlee: "Streams, Flows and Torrents" in Proceedings of
PAM'2001 available
at: http://www.ripe.net/pam2001/program.html

Cheers
Kurt
----
Dr. Kurt Tutschku
Institute of Computer Science
Am Hubland
97074 Wuerzburg
Germany
Tel.: +49-931-8886641
FAX.: +49-931-8886632
mailto:[email protected]
or
mailto:[email protected]
http://www-info3.informatik.uni-wuerzburg.de/staff/tutschku

From netramet-owner Wed May 23 01:59:41 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA08170
for netramet-outgoing; Wed, 23 May 2001 01:57:08 +1200 (NZST)
Received: from mail1.neonramp.com (mail1.neonramp.com [204.248.20.12] (may be forged))
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA08164
for <[email protected]>; Wed, 23 May 2001 01:57:06 +1200 (NZST)
Received: from mitre.org (natasha.mitre.org [204.248.21.53] (may be forged))
by mail1.neonramp.com (8.11.2+3.4W/8.11.2) with ESMTP id f4MDrDA00187;
Tue, 22 May 2001 08:53:13 -0500 (CDT)
Message-ID: <[email protected]>
Date: Tue, 22 May 2001 08:44:38 -0500
From: David Burgess <[email protected]>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Colin Manning <[email protected]>
CC: "'[email protected]'" <[email protected]>
Subject: Re: Quickstart hints for a newbie?
References: <F84C8F6293472D4DB5C8BF3E0C573D231939B6@per-oia-dc-01.int.officeinfo.com.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

> Colin Manning wrote:
>
> Hi All,
>
> I'm trying to install NeTraMet 4.3 on RedHat Linux 7.0.
> I've configured, compiled and installed libpcap 0.4 and NeTraMet 4.3
> both from source.
>
> nifty won't compile because ./configure returns :
> --Snip--
> checking for IceConnectionNumber in -lICE... yes
> checking for XmStringFree in -lXm... no
> checking for Xm/XmStrDefs.h using X_CFLAGS... no
> >>>>> Motif not found: won't be able to build nifty
> checking for ANSI C header files...
> yes
>
> --Snip--

Easy short answer: Install Motif. You can either install the free one
from Motif, or you can install LessTif. There should be ports at the
FreeBSD website for both.

>
> I'm running XFree86-4.0.1 - is there a way around this - configure
> can't find libXm.so (because it does not exist).
>
> Apart from that NeTraMet and NeMaC appear to run. If I run start like
> this:
> NeTraMet -r test1 -w test2
> NeMaC -c120 -r rules.lan 192.168.0.93 test2
>
> I get :
> NeTraMet: Network Meter v4.3
> Running on per-oia-lx-crm.int.officeinfo.com.au, interface eth0
> 1400:42 ri[5]: '7', 25 rules
> 1400:42 ri[5]: '7', rhss = 10
> 1400:42 Manager 10, Current set 5
> 1400:42 '7' flows read by NeMaC
> Statistics
> Zeroed
> 1402:00 '7' flows read by NeMaC
> Statistics
> Zeroed
>
> So I assume the processes are communicating, but how do I review the
> results?
>
> The IP address of the PC running NeTraMet and NeMaC is 192.168.0.93
>
> The flow file contains:
> ##NeTraMet v4.3: -c120 -r rules.lan 192.168.0.93 eth0 10000 flows
> starting at 14:00:42 Tue 22 May 2001
> #Format: flowruleset flowindex firsttime sourcepeertype
> sourcepeeraddress destpeeraddress sourcetranstype sourcetransaddress
> desttransaddress topdus frompdus tooctets fromoctets
>
> #Time: 14:00:42 Tue 22 May 2001 192.168.0.93 Flows from 0 to 315
> #Ruleset: 5 7 rules.lan NeMaC
> #Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0
> gci=10 rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
> #EndData: 192.168.0.93
> #Time: 14:02:00 Tue 22 May 2001 192.168.0.93 Flows from 314 to 8122
> #Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0
> gci=10 rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
> #EndData: 192.168.0.93
> #Time: 14:04:00 Tue 22 May 2001 192.168.0.93 Flows from 8121 to 20129
> #Stats: aps=0 apb=0 mps=0 mpb=0 lsp=0 avi=99.9 mni=100.0 fiu=0 frc=0
> gci=10 rpp=0.0 tpp=0.0 cpt=0.0 tts=8191 tsu=0
> #EndData: 192.168.0.93
>
> Now for the question - What am I doing wrong?

You probably don't have any rules that are being satisfied.

> Is there a quickstart somewhere - All I want to do is see the numbers
> click over.
>

The quick way to start is to start with an SRL that has been modified to
meet your needs. Without more information, it's pretty hard to predict
what will happen.

It should also be noted that if the machine that the collector is
running on is on a switched network, then the only information it can
report is information about itself. The NeTraMet meter should be
running on a machine which has aggregated traffic (the inside of a
router, for example) and doesn't really do you any good unless you are
still running a collapsed shared network (at least at some point).

From netramet-owner Fri May 25 02:22:52 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA20770
for netramet-outgoing; Fri, 25 May 2001 02:15:40 +1200 (NZST)
Received: from budgie.cerbernet.co.uk ([email protected] [193.243.233.95])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA20764;
Fri, 25 May 2001 02:15:36 +1200 (NZST)
From: [email protected]
Received: from localhost (localhost [127.0.0.1])
by budgie.cerbernet.co.uk (Postfix) with SMTP
id 04DA62FD3; Thu, 24 May 2001 15:14:35 +0100 (BST)
To: [email protected]
Cc: [email protected]
subject: re: Monitoring and reporting network usage
Message-Id: <[email protected]>
Date: Thu, 24 May 2001 15:14:36 +0100 (BST)
Sender: [email protected]
Precedence: bulk

Hi there,

Thanks to all those who replied to my first message. I have
a few points I wish to reply to and some new questions to ask.

As a reminder, I will say that my problem is finding a new
network traffic monitoring application - preferably a free one!

Some people asked me to explain my current setup a little
more. I have a 4.2-RELEASE FreeBSD box with a 600Mhz Pentium III
processor and 64Mb RAM. This is running 'Snuffle' by Thomas Ptacek
using a 100Mbit RTL8139-based network card.

We have a 2Mbit Internet connection supplied with a Cisco
router (we have no access to the router itself). We have plugged
this Cisco into a 10Mbit 4-port Netgear hub along with the FreeBSD
monitoring box and our main network switch.

The hub's collision light flashes 2 or 3 times every couple
of seconds.

The switch has various routers plugged into it, but basically
we have about 16 machines (50 IPs) in our network centre, about 40
IPs allocated to leased lines customers and about 70 IPs allocated
to ADSL customers.

According to MRTG readings from our main router, our average
traffic over the past few months in about 48kB/s in both dorections.
However, if we look at the smaller time frames we see peaks sometimes
reaching nearly 200kB/s for output.

The problem we are seeing with Snuffle is that it seems to
be missing some traffic. On the above information, is the
assumption that the fault lies with Snuffle reasonable? Could the
problem actually be that our machine simply cannot log all the
traffic that passes through it? What are your opinions in running
NeTraMet in the above situation?

Thanks in advance,

--
Sean Kelly

From netramet-owner Fri May 25 03:43:45 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA25626
for netramet-outgoing; Fri, 25 May 2001 03:41:40 +1200 (NZST)
Received: from rm-rstar.sfu.ca ([email protected] [142.58.120.21])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA25618;
Fri, 25 May 2001 03:41:39 +1200 (NZST)
Received: from fraser.sfu.ca ([email protected] [142.58.101.25])
by rm-rstar.sfu.ca (8.10.1/8.10.1/SFU-5.0H) with ESMTP id f4OFfYe20884;
Thu, 24 May 2001 08:41:34 -0700 (PDT)
From: Peter Van Epp <[email protected]>
Received: (from vanepp@localhost)
by fraser.sfu.ca (8.9.2/8.9.2/SFU-5.0C) id IAA23847;
Thu, 24 May 2001 08:41:33 -0700 (PDT)
Message-Id: <[email protected]>
Subject: Re: Monitoring and reporting network usage
To: [email protected]
Date: Thu, 24 May 2001 08:41:33 -0700 (PDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "[email protected]" at May 24, 2001 03:14:36 PM
X-Mailer: ELM [version 2.5 PL4]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

>
> Hi there,
>
> Thanks to all those who replied to my first message. I have
> a few points I wish to reply to and some new questions to ask.
>
> As a reminder, I will say that my problem is finding a new
> network traffic monitoring application - preferably a free one!
>
> Some people asked me to explain my current setup a little
> more. I have a 4.2-RELEASE FreeBSD box with a 600Mhz Pentium III
> processor and 64Mb RAM. This is running 'Snuffle' by Thomas Ptacek
> using a 100Mbit RTL8139-based network card.
^^^^^^^^^^^^^^

This is likely your problem. Try changing it to an Intel Etherexpress
or (best) a 3com 905B. Either of them will do almost 100 (and the almost is
a FreeBSDism, they will do full 100 under RedHat Linux). Assuming this is
the Realtek chip (as used in for instance the Allied Telasyn NICs) the chipset/
driver (I don't know which) loses traffic at high volumes on receive (they
will transmit full 100). There is also a bpf bug on select in the FreeBSD
kernel if your application uses select instead of polling libpcap. A patch
is available (and works for me) in the FreeBSD bug report kern/22063.
Once your hardware is up to snuff then you can start blaming the
software :-). tcpreplay (www.anzen.com/research/nidsbench as I recall) is
a useful tool for testing your hardware since it will replay a tcpdump file
at variable speeds so you can verify that your hardware is in fact able
to capture the data at full speed (thats how I know that RedHat will capture
at a full 100 when FreeBSD won't for instance). An rmon probe is a useful
adjunct to this so you are sure the packets are in fact making it to the
wire as well.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

From netramet-owner Fri May 25 09:07:33 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA24819
for netramet-outgoing; Fri, 25 May 2001 09:05:12 +1200 (NZST)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA24784
for <[email protected]>; Fri, 25 May 2001 09:05:07 +1200 (NZST)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id OAA12775;
Thu, 24 May 2001 14:05:04 -0700 (PDT)
Message-ID: <[email protected]>
Date: Thu, 24 May 2001 14:05:19 -0700
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
CC: [email protected]
Subject: NeTraMet & CoralReef: crl_ntm
Content-Type: multipart/alternative;
boundary="------------D577710EAE669DDD9DE7DA54"
Sender: [email protected]
Precedence: bulk

--------------D577710EAE669DDD9DE7DA54
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit

Hi,
I am trying to do live traffic capture with a DAG3.2 card using NeTraMet
on top of the Coralreef .
I am working with NeTraMet44b9 and try to run crl_ntm with the following
command:

[root@nren-mon4 meter]# crl_ntm -m xxx -C "source crl:/dev/dag0
phy=ATM,bw=OC3c" -r %s -w %s -S /dev/dag0
NeTraMet: CoralReef Meter 4.4b9
coral: /dev/dag0: illegal physical type: UNKNOWN
Segmentation fault (core dumped)
[root@nren-mon4 meter]#

It doesn't work. Does anyone has an idea on how to pass the
arguments/use that application?
Thanks in advance.
Jerry.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jerry Toung NASA Ames Research Center
phone : (650) 604-1310 NASA Research & Education Network
Fax : (650) 604-3080 Mail Stop 233-21
Email : [email protected] Moffet Field, CA 94035-1000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------D577710EAE669DDD9DE7DA54
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi,
 I am trying to do live traffic capture with a DAG3.2 card using NeTraMet
on top of the Coralreef .
 I am working with NeTraMet44b9 and try to run crl_ntm with the
following command:
[root@nren-mon4 meter]# crl_ntm -m xxx -C "source crl:/dev/dag0 phy=ATM,bw=OC3c"
-r %s -w %s -S /dev/dag0
 NeTraMet: CoralReef Meter 4.4b9
 coral: /dev/dag0: illegal physical type: UNKNOWN
 Segmentation fault (core dumped)
 [root@nren-mon4 meter]#
It doesn't work. Does anyone has an idea on how to pass the arguments/use
that application?
 Thanks in advance.
 Jerry.
  
--
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Jerry Toung                           
NASA Ames Research Center
 phone : (650) 604-1310            
NASA Research & Education Network
 Fax :    (650) 604-3080                  
Mail Stop 233-21
 Email : [email protected]      
Moffet Field, CA 94035-1000
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  </html>

--------------D577710EAE669DDD9DE7DA54--

From netramet-owner Fri May 25 10:19:16 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA12818
for netramet-outgoing; Fri, 25 May 2001 10:17:13 +1200 (NZST)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA12808
for <[email protected]>; Fri, 25 May 2001 10:17:11 +1200 (NZST)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id PAA29628;
Thu, 24 May 2001 15:17:07 -0700 (PDT)
Date: Thu, 24 May 2001 15:17:07 -0700 (PDT)
From: Nevil Brownlee <[email protected]>
To: Jerry Toung <[email protected]>
cc: <[email protected]>, <[email protected]>
Subject: Re: NeTraMet & CoralReef: crl_ntm
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hi Jerry:

1) I've just posted a new beta distribution file, 44b10;
please use that if you're working with Dag/CoralReef

2) I normally start crl_ntm with parameters like this:

sudo ./crl_ntm -S /dev/point1 -w w_comm

Note that -S device_name is a lot easier than -C coral_params
if you only want to specify the source name. If you have
more than one Dag card you just use -S dev1 -S dev2

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

On Thu, 24 May 2001, Jerry Toung wrote:

> Hi,
> I am trying to do live traffic capture with a DAG3.2 card using NeTraMet
> on top of the Coralreef .
> I am working with NeTraMet44b9 and try to run crl_ntm with the following
> command:
>
> [root@nren-mon4 meter]# crl_ntm -m xxx -C "source crl:/dev/dag0
> phy=ATM,bw=OC3c" -r %s -w %s -S /dev/dag0
> NeTraMet: CoralReef Meter 4.4b9
> coral: /dev/dag0: illegal physical type: UNKNOWN
> Segmentation fault (core dumped)
> [root@nren-mon4 meter]#
>
> It doesn't work. Does anyone has an idea on how to pass the
> arguments/use that application?
> Thanks in advance.
> Jerry.
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jerry Toung NASA Ames Research Center
> phone : (650) 604-1310 NASA Research & Education Network
> Fax : (650) 604-3080 Mail Stop 233-21
> Email : [email protected] Moffet Field, CA 94035-1000
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>

From netramet-owner Fri May 25 10:40:47 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA17988
for netramet-outgoing; Fri, 25 May 2001 10:39:34 +1200 (NZST)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id KAA17974
for <[email protected]>; Fri, 25 May 2001 10:39:32 +1200 (NZST)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id PAA28354;
Thu, 24 May 2001 15:39:16 -0700 (PDT)
Message-ID: <[email protected]>
Date: Thu, 24 May 2001 15:39:37 -0700
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: Nevil Brownlee <[email protected]>
CC: [email protected], [email protected]
Subject: Re: NeTraMet & CoralReef: crl_ntm
References: <[email protected]>
Content-Type: multipart/alternative;
boundary="------------4348F1CC04B9009C885822AB"
Sender: [email protected]
Precedence: bulk

--------------4348F1CC04B9009C885822AB
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit

Hi Nevil,
I am now working witn 4.4b10.

[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w write
NeTraMet: CoralReef Meter 4.4b10
coral: /dev/dag0: illegal physical type: UNKNOWN
Segmentation fault (core dumped)

[root@nren-mon4 meter]# dagphy -d /dev/dag0
/dev/dag0 Phy device mode: OC3c ATM
Facility Loopback: Off
Use Recovered Sonet Clock: Off

I know that even with the coralreef software I had to specify the physical
and bandwidth
parameters, therefore:

[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w write -C 'iomode
phy=ATM,bw=OC3c'
NeTraMet: CoralReef Meter 4.4b10
2232:19 1 coral interfaces opened
Running on nren-mon4.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
+++ read_live_block(0): first_block, ncells=16384, t=4096.000000
2234:28 +++ read_live_block(0): first_block, ncells=16384, t=4096.000000
2234:28 === block(0), eagains=6456; 0: cells=16384, t=4096.000000
init_live_sources() first blocks read
*** interface_read_live(0): ncells=16383, save_t=4096.000000, ts=0.000000
2234:28 *** interface_read_live(0): ncells=16383, save_t=4096.000000,
ts=0.000000
2234:28 !!! interface_read_live(0): Next 2 cell-time pairs OK, bad time
ignored
*** interface_read_live(0): ncells=16382, save_t=4096.000000,
ts=990768738.251084

And here we go. Thanks for the hint.
Now let's download some rulesets.

Thanks a lot,
Jerry.

Nevil Brownlee wrote:

> Hi Jerry:
>
> 1) I've just posted a new beta distribution file, 44b10;
> please use that if you're working with Dag/CoralReef
>
> 2) I normally start crl_ntm with parameters like this:
>
> sudo ./crl_ntm -S /dev/point1 -w w_comm
>
> Note that -S device_name is a lot easier than -C coral_params
> if you only want to specify the source name. If you have
> more than one Dag card you just use -S dev1 -S dev2
>
> Cheers, Nevil
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jerry Toung NASA Ames Research Center
phone : (650) 604-1310 NASA Research & Education Network
Fax : (650) 604-3080 Mail Stop 233-21
Email : [email protected] Moffet Field, CA 94035-1000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------4348F1CC04B9009C885822AB
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi Nevil,
 I am now working witn 4.4b10.
[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w write
 NeTraMet: CoralReef Meter 4.4b10
 coral: /dev/dag0: illegal physical type: UNKNOWN
 Segmentation fault (core dumped)
[root@nren-mon4 meter]# dagphy -d /dev/dag0
 /dev/dag0 Phy device mode: OC3c ATM
 Facility Loopback: Off
 Use Recovered Sonet Clock: Off
I know that even with the coralreef software I had to specify the physical
and bandwidth
 parameters, therefore:
[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w write -C 'iomode
phy=ATM,bw=OC3c'
 NeTraMet: CoralReef Meter 4.4b10
 2232:19  1 coral interfaces opened
 Running on nren-mon4.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
 +++ read_live_block(0): first_block, ncells=16384, t=4096.000000
 2234:28  +++ read_live_block(0): first_block, ncells=16384, t=4096.000000
 2234:28  === block(0), eagains=6456;  0: cells=16384, t=4096.000000
 init_live_sources() first blocks read
 *** interface_read_live(0): ncells=16383, save_t=4096.000000, ts=0.000000
 2234:28  *** interface_read_live(0): ncells=16383, save_t=4096.000000,
ts=0.000000
 2234:28  !!! interface_read_live(0): Next 2 cell-time pairs OK,
bad time ignored
 *** interface_read_live(0): ncells=16382, save_t=4096.000000, ts=990768738.251084
And here we go. Thanks for the hint.
 Now let's download some rulesets.
Thanks a lot,
 Jerry.
Nevil Brownlee wrote:
<blockquote TYPE=CITE>Hi Jerry:
1) I've just posted a new beta distribution file, 44b10;
    please use that if you're working with Dag/CoralReef
2) I normally start crl_ntm with parameters like this:
   sudo ./crl_ntm -S /dev/point1 -w w_comm
   Note that -S device_name is a lot easier than -C coral_params
    if you only want to specify the source name.  If
you have
    more than one Dag card you just use -S dev1 -S dev2
Cheers, Nevil
  </blockquote>
--
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Jerry Toung                           
NASA Ames Research Center
 phone : (650) 604-1310            
NASA Research & Education Network
 Fax :    (650) 604-3080                  
Mail Stop 233-21
 Email : [email protected]      
Moffet Field, CA 94035-1000
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  </html>

--------------4348F1CC04B9009C885822AB--

From netramet-owner Fri May 25 12:27:09 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA15327
for netramet-outgoing; Fri, 25 May 2001 12:25:24 +1200 (NZST)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA14557;
Fri, 25 May 2001 12:22:18 +1200 (NZST)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id RAA03061;
Thu, 24 May 2001 17:22:16 -0700 (PDT)
Date: Thu, 24 May 2001 17:22:16 -0700 (PDT)
From: Nevil Brownlee <[email protected]>
To: Kurt Tutschku <[email protected]>
cc: <[email protected]>, <[email protected]>
Subject: Re: Flowtime distribution and distribution-valued attributes
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Kurt:

I've just produced a first - very preliminary - version of a
distribution file for those wishing to use distribution-valued
attributes. Its on the distribution site as
beta-versions/distrib-progs.tar.gz

It contains a .txt file with fairly lengthy notes, copies of the
srl rulesets used for my PAM2001 papers, and my perl programs
for working with the distributions.

Do please try the rulesets - you'll have to change the IP netblocks
to suit your own network, of course. I suggest you start with
data-rate.srl. (Of course you may find it quicker/easier to write
your own scripts for processing flow data files which contain
distributions :-)

> a) Specifying Distributions:
> ---------------------------------------
> To clarify my view: when using the logarithmic transformation, as defined
> in Section 3.2 of RFC 2724, the upper limits of each bucket are
> defined as:
>
> upper_limit_of_bucket_i = lower_limit * m^(i-1)
>
> with
>
> m = (upper_limit/lower_limit)^(1/(number_of_buckets-1))
>
> where:
> "lower_limit": highest value for the first bucket
> "upper_limit": is the highest value for the last bucket
> "number_of_buckets": Number of buckets; does not include the
> 'overflow' bucket.
>
> Is this correct?

Yes. distrib-progs contains a script called scale_test.pl which
will compute and display the upper values for each bin for a given
set of distribution parameters.

> b) Flows and Streams:
> ---------------------------------
>
> The new release of the NeTraMet meter is able to identify "Streams" in
> "Flows" , see
> also Nevil Brownlee's new paper "Streams, Flows and Torrents", cf. [1].
>
> I'm using NeTraMet Version 44b9
> My questions is, has any one experience in the determination of
> "StreamLastTime" and the tuning the variable "Interval" (which defines
> the end of a
> "Stream")?

I did quite a bit of testing of this, without coming to any definite
conclusions. That's why all I could say at PAM was "using any dynamic
timeout scheme means making some assuption(s) about the time behaviour
of the streams!"

> Literature:
> [1] Nevil Brownlee: "Streams, Flows and Torrents" in Proceedings of
> PAM'2001 available
> at: http://www.ripe.net/pam2001/program.html

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

From netramet-owner Fri May 25 22:49:39 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA10735
for netramet-outgoing; Fri, 25 May 2001 22:47:06 +1200 (NZST)
Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA10730
for <[email protected]>; Fri, 25 May 2001 22:47:04 +1200 (NZST)
Received: from wncs.zrz.tu-berlin.de ([130.149.2.12])
by mail.zrz.tu-berlin.de with esmtp (exim-3.22)
for <[email protected]>
id 153F72-0003GG-00; Fri, 25 May 2001 12:46:32 +0200
Received: from wncs.zrz.TU-Berlin.DE by wncs.zrz.TU-Berlin.DE (8.8.8/ZRZ-Gen-8)
with ESMTP id MAA14306 for <[email protected]>;
Fri, 25 May 2001 12:46:31 +0200 (MET DST)
Message-Id: <[email protected]>
X-Mailer: exmh version 2.1.1 10/15/1999
To: [email protected]
Subject: Re: Monitoring and reporting network usage
In-reply-to: Your message of "Thu, 24 May 2001 15:14:36 BST"
<[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 25 May 2001 12:46:31 +0200
From: Dieter Kasielke <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello,

some experiences with loosing traffic in a similar environment,
although traffic is somewhat higher:
- PC with 800 Mhz P-III & onboard Intel 100BTX, running OpenBSD 2.8
- packets are sniffed from a monitor port of a switch, which copies
all the traffic to/from the internet access router
- traffic (input + output) averages 10k packets/s, with peaks up
to 30k packets/s (corresponds to about 25 - 75 Mbit/s)
There was a loss of about 0.2 percent of the packets as reported by
NetraMet, with no loss reported by netstat, using the sw as released.

What finally worked to eliminate packet loss (as indicated by NetraMet's
statistics, "lsp=0"), was to recompile libpcap (pcap-bpf.c). As released
with OpenBSD 2.8, libpcap requested 32k buffer space. Increasing this to
512k did the job for me.

Dieter Kasielke

On Thu, 24 May 2001 15:14:36 BST [email protected] wrote:
> Hi there,
>
> Thanks to all those who replied to my first message. I have
> a few points I wish to reply to and some new questions to ask.
>
> As a reminder, I will say that my problem is finding a new
> network traffic monitoring application - preferably a free one!
>
> Some people asked me to explain my current setup a little
> more. I have a 4.2-RELEASE FreeBSD box with a 600Mhz Pentium III
> processor and 64Mb RAM. This is running 'Snuffle' by Thomas Ptacek
> using a 100Mbit RTL8139-based network card.
>
> We have a 2Mbit Internet connection supplied with a Cisco
> router (we have no access to the router itself). We have plugged
> this Cisco into a 10Mbit 4-port Netgear hub along with the FreeBSD
> monitoring box and our main network switch.
>
> The hub's collision light flashes 2 or 3 times every couple
> of seconds.
>
> The switch has various routers plugged into it, but basically
> we have about 16 machines (50 IPs) in our network centre, about 40
> IPs allocated to leased lines customers and about 70 IPs allocated
> to ADSL customers.
>
> According to MRTG readings from our main router, our average
> traffic over the past few months in about 48kB/s in both dorections.
> However, if we look at the smaller time frames we see peaks sometimes
> reaching nearly 200kB/s for output.
>
> The problem we are seeing with Snuffle is that it seems to
> be missing some traffic. On the above information, is the
> assumption that the fault lies with Snuffle reasonable? Could the
> problem actually be that our machine simply cannot log all the
> traffic that passes through it? What are your opinions in running
> NeTraMet in the above situation?
>
> Thanks in advance,
>
> --
> Sean Kelly

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Sat May 26 02:35:21 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA21609
for netramet-outgoing; Sat, 26 May 2001 02:32:02 +1200 (NZST)
Received: from nis-master.office-mail.co.uk (nis-master.office-mail.co.uk [217.15.160.51])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA21594
for <[email protected]>; Sat, 26 May 2001 02:31:59 +1200 (NZST)
From: [email protected]
Received: from localhost (localhost [127.0.0.1])
by nis-master.office-mail.co.uk (Postfix) with SMTP id C40821D632
for <[email protected]>; Fri, 25 May 2001 15:29:44 +0100 (BST)
To: [email protected]
subject: Re: Monitoring and reporting network usage
Message-Id: <[email protected]>
Date: Fri, 25 May 2001 15:29:44 +0100 (BST)
Sender: [email protected]
Precedence: bulk

Hi there,

In response to Dieter Kasielke's comments, after looking
at 'netstat -di' I see that interface 'rl0' (my RTL8139 card)
has:

Ipkts 945368015
Ierrs 0
Opkts 294719
Oerrs 2
Coll 0
Drop 0

so does this mean that 0 packets are being dropped?

Thanks,

--
Sean Kelly

From netramet-owner Sat May 26 03:41:37 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA25190
for netramet-outgoing; Sat, 26 May 2001 03:40:13 +1200 (NZST)
Received: from rm-rstar.sfu.ca ([email protected] [142.58.120.21])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA25184
for <[email protected]>; Sat, 26 May 2001 03:40:12 +1200 (NZST)
Received: from fraser.sfu.ca ([email protected] [142.58.101.25])
by rm-rstar.sfu.ca (8.10.1/8.10.1/SFU-5.0H) with ESMTP id f4PFe9e00310
for <[email protected]>; Fri, 25 May 2001 08:40:09 -0700 (PDT)
From: Peter Van Epp <[email protected]>
Received: (from vanepp@localhost)
by fraser.sfu.ca (8.9.2/8.9.2/SFU-5.0C) id IAA11100
for [email protected]; Fri, 25 May 2001 08:40:09 -0700 (PDT)
Message-Id: <[email protected]>
Subject: Re: Monitoring and reporting network usage
To: [email protected]
Date: Fri, 25 May 2001 08:40:09 -0700 (PDT)
In-Reply-To: <[email protected]> from "[email protected]" at May 25, 2001 03:29:44 PM
X-Mailer: ELM [version 2.5 PL4]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Unfortunatly it means that the kernel doesn't think it has dropped
any packets. In the case on FreeBSD where I was losing packets (which I know
because I had a measured number of input packets and an external monitor that
saw they correctly made the interface on the machine) some packets didn't make
the bpf interface (I'd added a counter to syslog in there for debug purposes)
which correctly reported bpf didn't drop any, and I couldn't find any reported
error stats from the kernel but packets were dropped. This could also mean
that the kernel didn't drop any packets, but that bpf did (it will report
such in the status output from libpcap) or that libpcap didn't but the
application (netramet, tcpdump, argus etc.) did and may or may not have
reported it (I believe the 3 listed will all report drops if there are any).
You unfortunatly have lots of degrees of freedom for losing packets between
the wire and your application (as was pointed out, the bpf buffer size is a
common one, but libpcap also reports such) :-) Supplying a know number and
speed of packets (and having an independent monitor to verify they are making
it to the wire correctly such as a wire speed router or switch with rmon) is
really the only way of verifying your performance.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

>
> Hi there,
>
> In response to Dieter Kasielke's comments, after looking
> at 'netstat -di' I see that interface 'rl0' (my RTL8139 card)
> has:
>
> Ipkts 945368015
> Ierrs 0
> Opkts 294719
> Oerrs 2
> Coll 0
> Drop 0
>
> so does this mean that 0 packets are being dropped?
>
> Thanks,
>
> --
> Sean Kelly
>

From netramet-owner Sat May 26 20:09:25 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id UAA18212
for netramet-outgoing; Sat, 26 May 2001 20:06:24 +1200 (NZST)
Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id UAA18204
for <[email protected]>; Sat, 26 May 2001 20:06:22 +1200 (NZST)
Received: from wncs.zrz.tu-berlin.de ([130.149.2.12])
by mail.zrz.tu-berlin.de with esmtp (exim-3.22)
for <[email protected]>
id 153Z53-0002Cm-00; Sat, 26 May 2001 10:05:49 +0200
Received: from wncs.zrz.TU-Berlin.DE by wncs.zrz.TU-Berlin.DE (8.8.8/ZRZ-Gen-8)
with ESMTP id KAA10328 for <[email protected]>;
Sat, 26 May 2001 10:05:49 +0200 (MET DST)
Message-Id: <[email protected]>
X-Mailer: exmh version 2.1.1 10/15/1999
To: [email protected]
Subject: Re: Monitoring and reporting network usage
In-reply-to: Your message of "Fri, 25 May 2001 08:40:09 PDT"
<[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 26 May 2001 10:05:49 +0200
From: Dieter Kasielke <[email protected]>
Sender: [email protected]
Precedence: bulk

On Fri, 25 May 2001 08:40:09 PDT Peter Van Epp wrote:
[...]
> Supplying a know number and
> speed of packets (and having an independent monitor to verify they are making
> it to the wire correctly such as a wire speed router or switch with rmon) is
> really the only way of verifying your performance.
[...]

Thats certainly true and you should take a _good_ monitor ;-).
I did not really need 100% accuracy and simply wanted to eliminate
the most obvious cause for loosing packets regularly on a machine
dedicated to NeTraMet. For me this has been achieved and in fact
the data produced by NeTraMet/NeMaC are much more complete than
those from Cisco Netflow (how could i ever trust them?).

Dieter Kasielke

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Tue May 29 08:06:53 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA21234
for netramet-outgoing; Tue, 29 May 2001 08:02:00 +1200 (NZST)
Received: from ncc-consulting.de (mailsrv.ncc-consulting.de [213.68.34.137])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id IAA21208
for <[email protected]>; Tue, 29 May 2001 08:01:57 +1200 (NZST)
Received: (qmail 18230 invoked from network); 28 May 2001 20:02:09 -0000
Received: from unknown (HELO pcmobil) (212.224.51.90)
by mailsrv.ncc-consulting.de with SMTP; 28 May 2001 20:02:09 -0000
From: "Valentin Saca" <[email protected]>
To: <[email protected]>
Subject: False SourcePeerAddress and DestPeerAddress
Date: Mon, 28 May 2001 22:00:25 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Sender: [email protected]
Precedence: bulk

Hello everybody,

I started NeTraMet at least, but now I have a new problem. In the flow-file
the SourcePeerAddress and DestPeerAddress are 0.0.0.0 . This doesn't match
my settings because they should be 192.168.0.50 and 192.168.0.1 . I used the
following rule-file:

# 1445, Mon 9 Jan 95
#
# Default rule file for NetraMet (built in to the meter)
#
# Nevil Brownlee, Computer Centre, The University of Auckland
#
SET 1
#
RULES
SourcePeerType & 255 = dummy: Ignore, 0; # Ignore meter's dummy pkts
Null & 0 = 0: GotoAct, Next;
SourcePeerType & 255 = 0: CountPkt, 0;

#
STATISTICS
#
FORMAT FlowRuleSet FlowIndex FirstTime " " SourcePeerType SourcePeerAddress
DestPeerType DestPeerAddress;
#
# end of file

I am running on the meter an Apache Webserver and create flows by makeing
requests to the Webserver. Is this rule-file suited for these purposes ?

If you have some tips or a solution please don't hesitate to mail,

Best regards
Valentin