From netramet-owner Wed Jun 6 06:59:41 2001

From netramet-owner Wed Jun 6 06:59:41 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA03190
for netramet-outgoing; Wed, 6 Jun 2001 06:54:14 +1200 (NZST)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA03184
for <[email protected]>; Wed, 6 Jun 2001 06:54:12 +1200 (NZST)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id LAA20465;
Tue, 5 Jun 2001 11:54:07 -0700 (PDT)
Message-ID: <[email protected]>
Date: Tue, 05 Jun 2001 11:54:18 -0700
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: NeTraMet <[email protected]>
CC: [email protected]
Subject: NeTraMet (crl_ntm) and DAG cards at OC12c
Content-Type: multipart/alternative;
boundary="------------C879850F18C01B0784E26C11"
Sender: [email protected]
Precedence: bulk

--------------C879850F18C01B0784E26C11
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit

Hi,
Is anyone else using NeTraMet (crl_ntm) to capture traffic with the DAG
cards at OC12?
I can't get it to work, or should I say it's looping at a select()
statement everytime I've ran it, then exit after 20 minutes.
Is there a trick I am missing?

[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w xxxxx -C 'iomode
phy=ATM,bw=OC12c' -m xxx -r xxxx
NeTraMet: CoralReef Meter 4.4b10
2253:48 1 coral interfaces opened
Running on nren-mon4.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
2313:48 coral_read_block(107) too many EAGAINs
coral_open (0x8088398): invalid source
2313:48 restart_int(0): open failed, result=-1
[root@nren-mon4 meter]#

It (crl_ntm) runs just fine when set at OC3c and I can capture any
traffic I want.
Any help will be appreciated.
I guess I would like to hear that someone tried this before and it
worked.
Thanks,
Jerry.

--------------C879850F18C01B0784E26C11
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi,
 Is anyone else  using NeTraMet (crl_ntm) to capture traffic with
the DAG cards at OC12?
 I can't get it to work, or should I say it's looping at a select()
statement everytime I've ran it, then exit after 20 minutes.
 Is there a trick I am missing?
[root@nren-mon4 meter]# crl_ntm -S /dev/dag0 -w xxxxx -C 'iomode phy=ATM,bw=OC12c' 
-m xxx -r xxxx
 NeTraMet: CoralReef Meter 4.4b10
 2253:48  1 coral interfaces opened
 Running on nren-mon4.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
 2313:48  coral_read_block(107) too many EAGAINs
 coral_open (0x8088398): invalid source
 2313:48  restart_int(0): open failed, result=-1
 [root@nren-mon4 meter]#
It (crl_ntm) runs just fine when set at OC3c and I can capture any traffic
I want.
 Any help will be appreciated.
 I guess I would like to hear that someone tried this before and it
worked.
 Thanks,
 Jerry.
  
  
  </html>

--------------C879850F18C01B0784E26C11--

From netramet-owner Fri Jun 8 05:25:07 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA15283
for netramet-outgoing; Fri, 8 Jun 2001 05:21:08 +1200 (NZST)
Received: from correo2 ([157.238.87.78])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA15278
for <[email protected]>; Fri, 8 Jun 2001 05:21:05 +1200 (NZST)
Received: from qoslabs.com ([63.69.216.194])
by correo2.qoslabs.com (iPlanet Messaging Server 5.0 Patch 2 (built Dec 14
2000)) with SMTP id <[email protected]> for
[email protected]; Thu, 07 Jun 2001 13:21:09 -0400 (EDT)
Date: Thu, 07 Jun 2001 13:23:15 -0500
From: Sandra Salas <[email protected]>
Subject: rules files
To: [email protected]
Reply-to: [email protected]
Message-id: <[email protected]>
Organization: QoSlabs
MIME-version: 1.0
X-Mailer: Mozilla 4.75 [en] (Win98; U)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Accept-Language: en
Sender: [email protected]
Precedence: bulk

Hi,

My NeMaC process has this format:
/NeMaC -D -p -c300 -r rules.test localhost community

If I do changes in my rule file, I need to kill the process and start
again NeMaC.
Do you know if there is a option where NeMaC is'nt shut down and read
the rule file that was modified??

thanks in advance.

From netramet-owner Fri Jun 8 07:43:12 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA23385
for netramet-outgoing; Fri, 8 Jun 2001 07:41:15 +1200 (NZST)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA23379
for <[email protected]>; Fri, 8 Jun 2001 07:41:13 +1200 (NZST)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id MAA01088;
Thu, 7 Jun 2001 12:41:01 -0700 (PDT)
Message-ID: <[email protected]>
Date: Thu, 07 Jun 2001 12:41:06 -0700
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
CC: NeTraMet <[email protected]>
Subject: Re: rules files
References: <[email protected]>
Content-Type: multipart/alternative;
boundary="------------E50FE25922E84EE1FA7254A5"
Sender: [email protected]
Precedence: bulk

--------------E50FE25922E84EE1FA7254A5
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit

Hi Sandra,
I have never done that, not sure it's possible. But could still run
several rule sets in one meter.
You can keep an old ruleset in the meter while downloading another one
(or slightly modified),
running NeMaC with the reader name option:
/NeMaC -D -p -c300 -r rules.test localhost community readername1

but you'll have 2 NeMaC processes running (2 different readername) and 2
rule sets downloded in the meter.
Killing one NeMaC will also remove all its rules at the meter ==> 1 rule
set left etc.

Sandra Salas wrote:

> Hi,
>
> My NeMaC process has this format:
> ./NeMaC -D -p -c300 -r rules.test localhost community
>
> If I do changes in my rule file, I need to kill the process and start
> again NeMaC.
> Do you know if there is a option where NeMaC is'nt shut down and read
> the rule file that was modified??
>
> thanks in advance.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jerry Toung NASA Ames Research Center
phone : (650) 604-1310 NASA Research & Education Network
Fax : (650) 604-3080 Mail Stop 233-21
Email : [email protected] Moffet Field, CA 94035-1000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------E50FE25922E84EE1FA7254A5
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi Sandra,
 I have never done that, not sure it's possible. But could still run
several rule sets in one meter.
 You can keep an old ruleset in the meter while downloading another
one (or slightly modified),
 running NeMaC with the reader name option:
 ./NeMaC -D -p -c300 -r rules.test localhost community readername1
  
 but you'll have 2 NeMaC processes running (2 different readername)
and 2 rule sets downloded in the meter.
 Killing one NeMaC will also remove all its rules at the meter ==> 1
rule set left etc.
  
  
  
Sandra Salas wrote:
<blockquote TYPE=CITE>Hi,
  My NeMaC process has  this format:
 ./NeMaC -D -p -c300 -r rules.test localhost community
If I do changes in my rule file, I need to kill the process and start
 again NeMaC.
 Do you know if  there is a option where NeMaC is'nt shut down
and read
 the rule file that was modified??
thanks in advance.</blockquote>

--
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Jerry Toung                           
NASA Ames Research Center
 phone : (650) 604-1310            
NASA Research & Education Network
 Fax :    (650) 604-3080                  
Mail Stop 233-21
 Email : [email protected]      
Moffet Field, CA 94035-1000
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  </html>

--------------E50FE25922E84EE1FA7254A5--

From netramet-owner Mon Jun 11 23:41:23 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA03643
for netramet-outgoing; Mon, 11 Jun 2001 23:33:15 +1200 (NZST)
Received: from tik2.ethz.ch (spr-tik2.ethz.ch [129.132.119.69])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id XAA03637
for <[email protected]>; Mon, 11 Jun 2001 23:33:13 +1200 (NZST)
Received: from tik.ee.ethz.ch (tik46 [129.132.119.238])
by tik2.ethz.ch (8.8.8/8.8.8) with ESMTP id NAA04296
for <[email protected]>; Mon, 11 Jun 2001 13:33:11 +0200 (MET DST)
Message-ID: <[email protected]>
Date: Mon, 11 Jun 2001 13:33:09 +0200
From: Pandey Jayesh <[email protected]>
Organization: Swiss Federal Institute of Technology
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: DSCP in NeTraMet
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

hello everybody,

i am new to netramet. I am working on metering and charging of DiffServ
traffic. I have set up a DiffServ testbed and installed netramet 4.3 on
it. Can anyone tell me how to write a rule file which can distinguish
flows on the basis of DSCodePoint?
Thanking you in advance!

regards,
Jayesh Pandey
TIK, ETHZ

From netramet-owner Tue Jun 12 11:34:32 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id LAA27739
for netramet-outgoing; Tue, 12 Jun 2001 11:30:28 +1200 (NZST)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id LAA25091;
Tue, 12 Jun 2001 11:25:07 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: rules files
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 12 Jun 2001 11:25:50 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Sandra:

> If I do changes in my rule file, I need to kill the process and start
> again NeMaC.
> Do you know if there is a option where NeMaC is'nt shut down and read
> the rule file that was modified??

Short answer to this question is: no, right now there isn't.
To rephrase your question, "is there a way to modify a running
ruleset?" This issue was proposed as a work item for an RTFM2
working group, but we weren't able to get the WG chartered.

The problems it raises are those of making sure that changes to a
running ruleset can be done safely, i.e. that the ruleset continues
to run properly, and saves the same attributes as previously.

On the NeMaC side, when we originally wrote NeMaC, we decided to have
the Manager and Meter Reader combined in one program. That's worked
well for many years, but we're now at the point where it would be
useful to have a separate manager. A stand-alone manager could provide
an overall 'systems console' for many meters and meter readers, and
could manage the sort of on-the-fly changes you're asking for. But we
don't have plans to make a stand-alone manager any time soon ..

That means we're stuck with using NeMaC in its present form. The
options are:

A) Modify ruleset, make sure it works properly.
Shut down NeMaC, start new NeMaC.
This is the approach you're using now.

B) Modify ruleset, ***being careful to change the ruleset name***,
i.e. the identifier given in the SRL set statement.
e.g. start with "set my_rules_1;" make the next version
"set my_rules_2;" etc.

Now you can start the new ruleset (on the same meter)
using second NeMaC - the meter can run many rulesets
at the same time. (Note that when NeMaC starts
talking to a meter it looks through the meter's ruleset table;
if there's a ruleset with the same ruleset name AND owner id,
NeMaC will shut it down. (Owner id is the last positional
parameter on the NEMaC command line, after the meter write
community name))

When you're sure the new ruleset is running properly you can shut
down the earlier copy of NeMaC. Remember that flow data
collection is asynchronous, making it unlikely that flow data
from two meter readers (copies of NeMaC) will match exactly,
especially for short reading intervals.

C) Longer term I could implement a free-standing program to
download a new version of a ruleset to a meter and switch
tasks using an earlier version of it across (i.e. exactly
what you sked for). But before doing that we'd need to
agree on what checks we need to make so as to be sure that
changes between old and new rulesets are safe. Also, how
would such 'on-the-fly ruleset switches' be recorded in
the various log files?? As I said above, this is a non-trivial
problem; I'm happy to work on it, but we need some vigorous
discussion first!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Wed Jun 13 08:48:17 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA01917
for netramet-outgoing; Wed, 13 Jun 2001 08:42:38 +1200 (NZST)
Received: from tik2.ethz.ch (spr-tik2.ethz.ch [129.132.119.69])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA01900;
Wed, 13 Jun 2001 08:42:34 +1200 (NZST)
Received: from tik.ee.ethz.ch (kom27 [129.132.66.11])
by tik2.ethz.ch (8.8.8/8.8.8) with ESMTP id WAA13352;
Tue, 12 Jun 2001 22:42:32 +0200 (MET DST)
Message-ID: <[email protected]>
Date: Tue, 12 Jun 2001 22:42:32 +0200
From: Pandey Jayesh <[email protected]>
Organization: Swiss Federal Institute of Technology
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Nevil Brownlee <[email protected]>
CC: [email protected]
Subject: newbie questions about rule file
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

hello everybody,

1.> Is it possible to write a rule file which can distinguish a flow
given the source address ip/port and the destination address ip/port ? I
want to meter only that flow so is it possible?
2.> In the output/flowfile generated can i get the flow information
corresponding to that particular time instant like i have corresponding
to sampling times:
| | | | |
---------------------------------
| |
points where sampling is done,
this isnt aggregated information, just corresponding to packet flow at
that time.
thanking you in advance,

regards,
Jayesh Pandey
Undergraduate student
TIK, ETH, Zurich

From netramet-owner Wed Jun 13 12:58:47 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA01220
for netramet-outgoing; Wed, 13 Jun 2001 12:52:51 +1200 (NZST)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id MAA01210;
Wed, 13 Jun 2001 12:52:47 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
To: Pandey Jayesh <[email protected]>
Cc: [email protected]
Subject: Re: newbie questions about rule file
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Wed, 13 Jun 2001 12:53:30 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: IMSP
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Pandey:

> 1.> Is it possible to write a rule file which can distinguish a flow
> given the source address ip/port and the destination address ip/port ? I
> want to meter only that flow so is it possible?

Yes. It would look something like this:

if SourcePeerAddress == 1.2.3.4 && DestPeerAddress == 5.6.7.8
&& SourceTransAddress == 1234 && DestTransAddress == 5678 {
count;
}

(it would also need a set statement and a format statement).

> 2.> In the output/flowfile generated can i get the flow information
> corresponding to that particular time instant like i have corresponding
> to sampling times:
> | | | | |
> ---------------------------------
> | |
> points where sampling is done,
> this isnt aggregated information, just corresponding to packet flow at
> that time.

This is harder, RTFM doesn't guarantee sample times - interactions
between meters and meter readers are asynchronous.

However, you'd get fairly close to it if you just ran NeMaC sampling at
whatever intervals you need. If you want a second 'half-speed'
sampling (as you've shown in your diagram), I'd do it by making the
'full-speed' samples, then writing a perl script to ignore every second
sample.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Thu Jun 14 00:34:09 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA26576
for netramet-outgoing; Thu, 14 Jun 2001 00:29:50 +1200 (NZST)
Received: from tik2.ethz.ch (spr-tik2.ethz.ch [129.132.119.69])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA26566;
Thu, 14 Jun 2001 00:29:48 +1200 (NZST)
Received: from tik.ee.ethz.ch (tik46 [129.132.119.238])
by tik2.ethz.ch (8.8.8/8.8.8) with ESMTP id OAA11849;
Wed, 13 Jun 2001 14:29:45 +0200 (MET DST)
Message-ID: <[email protected]>
Date: Wed, 13 Jun 2001 14:29:41 +0200
From: Pandey Jayesh <[email protected]>
Organization: Swiss Federal Institute of Technology
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Nevil Brownlee <[email protected]>
CC: [email protected]
Subject: Re: newbie questions about rule file
References: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Nevil Brownlee wrote:
>
Hello Dr. Brownlee,
thank you for the help, using srl i have managed to get the required
rule file , and the corresponding flow.
But for the second part of my question i want to know a few things more:
Using the rule file: (sorry for all the text.....)

#Source file: testbed1.srl
#Compiled by: SRL compiler, version 4.3
#Time: 14:14:49 Wed 13 Jun 2001
sourcepeertype & 255.0 = 1.0: pushto, g1;
null & 0 = 0: gotoact, n1;
n1:
null & 0 = 0: ignore, 0;
g1:
sourcetranstype & 255.0 = 6.0: pushto, a1;
sourcetranstype & 255.0 = 17.0: pushto, a1;
null & 0 = 0: gotoact, n2;
n2:
g2:
null & 0 = 0: nomatch, 0;
a1:
sourcepeeraddress & 255.255.255.255 = 192.168.2.1: pushto, s2;
null & 0 = 0: goto, n3;
s2:
destpeeraddress & 255.255.255.255 = 129.132.66.11: pushto, s1;
null & 0 = 0: popto, next;
null & 0 = 0: goto, n3;
s1:
desttransaddress & 255.255 = 7.208: pushtoact, a2;
null & 0 = 0: popto, next;
null & 0 = 0: popto, next;
null & 0 = 0: gotoact, n3;
n3:
g3:
null & 0 = 0: gotoact, g2;
a2:
null & 0 = 0: count, 0;
set 5;
format
flowruleset flowindex " " sourcepeeraddress destpeeraddress " "
sourcetransaddress desttransaddress " " topdus frompdus " " tooctets
fromoctets " " firsttime lasttime;

on my testbed i had only one flow running which matches the above
params.
the output from nemac was the following flow file:
#NeTraMet v4.3: -c30 -r testbed1.rules RB ep0 10000 flows starting
at 13:43:50 Wed 13 Jun 2001
#Format: flowruleset flowindex sourcepeeraddress destpeeraddress
sourcetransaddress desttransaddress topdus frompdus tooctets fromoctets
firsttime lasttime
#Time: 13:43:51 Wed 13 Jun 2001 RB Flows from 0 to 451
#Ruleset: 18 5 testbed1.rules NeMaC
18 3 192.168.2.1 129.132.66.11 1122 2000 21 0 31752 0 437 450
#EndData: RB
#Time: 13:44:00 Wed 13 Jun 2001 RB Flows from 450 to 1361
18 3 192.168.2.1 129.132.66.11 1122 2000 1491 0 2254392 0 437 1366
#EndData: RB
#Time: 13:44:30 Wed 13 Jun 2001 RB Flows from 1360 to 4371
18 3 192.168.2.1 129.132.66.11 1122 2000 6321 0 9557352 0 437 4374
#EndData: RB
#Time: 13:45:00 Wed 13 Jun 2001 RB Flows from 4370 to 7381
18 3 192.168.2.1 129.132.66.11 1122 2000 9429 0 14256648 0 437 6310
#EndData: RB

Now my problem was that the data in this flow file is aggregate of the
flow information, but what i want is just the packet information at the
sampling time.i.e. i dont want the information in between the sampling
points just that at the edges of the sampling period.

regards,
Jayesh Pandey,
TIK, ETH Zurich

> Hello Pandey:
>
> > 1.> Is it possible to write a rule file which can distinguish a flow
> > given the source address ip/port and the destination address ip/port ? I
> > want to meter only that flow so is it possible?
>
> Yes. It would look something like this:
>
> if SourcePeerAddress == 1.2.3.4 && DestPeerAddress == 5.6.7.8
> && SourceTransAddress == 1234 && DestTransAddress == 5678 {
> count;
> }
>
> (it would also need a set statement and a format statement).
>
> > 2.> In the output/flowfile generated can i get the flow information
> > corresponding to that particular time instant like i have corresponding
> > to sampling times:
> > | | | | |
> > ---------------------------------
> > | |
> > points where sampling is done,
> > this isnt aggregated information, just corresponding to packet flow at
> > that time.
>
> This is harder, RTFM doesn't guarantee sample times - interactions
> between meters and meter readers are asynchronous.
>
> However, you'd get fairly close to it if you just ran NeMaC sampling at
> whatever intervals you need. If you want a second 'half-speed'
> sampling (as you've shown in your diagram), I'd do it by making the
> 'full-speed' samples, then writing a perl script to ignore every second
> sample.
>
> Cheers, Nevil
>
> +---------------------------------------------------------------------+
> | Nevil Brownlee Director, Technology Development |
> | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
> | FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
> +---------------------------------------------------------------------P

From netramet-owner Thu Jun 14 01:48:51 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA01010
for netramet-outgoing; Thu, 14 Jun 2001 01:45:43 +1200 (NZST)
Received: from ncc-consulting.de (mailsrv.ncc-consulting.de [213.68.34.137])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id BAA00999
for <[email protected]>; Thu, 14 Jun 2001 01:45:41 +1200 (NZST)
Received: (qmail 21559 invoked from network); 13 Jun 2001 13:44:27 -0000
Received: from pd950fb22.dip.t-dialin.net (HELO pcmobil) (217.80.251.34)
by mailsrv.ncc-consulting.de with SMTP; 13 Jun 2001 13:44:27 -0000
From: "Valentin Saca" <[email protected]>
To: <[email protected]>
Subject: macro-substitution in flow-files ???
Date: Wed, 13 Jun 2001 15:44:05 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Sender: [email protected]
Precedence: bulk

Hello everybody,

Do you know if it is possible to make macro-substitution in a flow file ?
What I mean here with macro-substitution is the possibility to insert own
text(rows) in a flow file , by example user-name and so on , by using a
special statement in the rule-file .

Thanks in advance and best regards
Valentin

From netramet-owner Fri Jun 22 23:44:13 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA26410
for netramet-outgoing; Fri, 22 Jun 2001 23:38:27 +1200 (NZST)
Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id XAA26405;
Fri, 22 Jun 2001 23:38:20 +1200 (NZST)
Content-Class: urn:content-classes:message
Subject: questions about rule file - n-VLANs twice Byte count
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
Date: Fri, 22 Jun 2001 13:37:43 +0100
Message-ID: <[email protected]>
Thread-Topic: questions about rule file - n-VLANs twice Byte count
Thread-Index: AcD7GCJjd9q/XmbbEdWSdQAAkpsbJg==
From: "Knapp, Ralf" <[email protected]>
To: "Nevil Brownlee" <[email protected]>
Cc: <[email protected]>
Sender: [email protected]
Precedence: bulk

Dear Nevil,
hello NeTraMet-users,

Netramet runs on an FreeBSD 4.2 system and has a Gigabit Nic (interface
ti0)

On this interface the NeTraMet measures the traffic via a Span Port of a
Cisco Catalyst. This Span Port has connected 4 VLANs and one for the
spanPort.

VLAN 1 VLAN 2 VLAN 3 VLAN5
| | | |
------------------------------------------------------------------------
-
|
|
VLAN 4 (ti0 =3D NeTraMet)

Now my problem:

Flows on each VLAN is measured correct, but flows from one to another
VLAN=20
are accounted twice because NeTraMet doesn=B4t realizes that the
flow is actual the same. =20

How could I filter this event of twice accounting in the
measurement??
I don=B4t want that NeTraMet adds this "false" bytes"

OR=20

Have i to write a srl rule file like this ..

define VLAN_1 =3D
yyy.xxx.ccc.vvv/29
define VLAN_2 =3D=20
...

if SourcePeerAddress =3D=3D (VLAN_1) && DestPeerAddress =
=3D=3D(VLAN_1) # and
if the flows
=09
# goes into the
# internet
{
store FlowKind :=3D 'A'
}
else if SourcePeerAddress =3D=3D (VLAN_1) && ( DestPeerAddress =
=3D=3D(VLAN_2)
.or 3 or 5 )
{
store FlowKind :=3D 'B'
}

and then analyse the flow file by a perl script and take the sums of
bytes as they were if FlowKind =3D A and if FlowKind =3D B sum_bytes =
=3D
sum_bytes/2 ??

Is there no otherway??

The fd_filter could handle the format "FlowKind"??

By the way, pings with my current rule files are seen in the flows
twice...

Format:
MyTimeStamp | Protocol | Typ | MySrcPeerAddress | SrcPort |
MyDestPeerAddress | DestPort | d_BytesTo | d_ByteFrom

#22-06-2001 11:57:00 1 212 6 163 18 8 212 6 142 31 0 17040 0
#22-06-2001 11:57:00 1 212 6 142 31 0 212 6 163 18 0 17040 0=20

how have I to change my rule (see at the end) to get something like
that:

#22-06-2001 11:57:00 1 212 6 163 18 8 212 6 142 31 0 17040 17040

but i think this is impossible, because of the port which is different

I know that I have very much questions but i hope someone has some
answers.
If -you- have question or problems I do my best to help you.

thanks in advance

Ralf Knapp

Student=20
at=20
University of Applied Sciences=20
- Krefeld Fachhochschule Niederrhein -

Here my rule .srl

define Printer_IPs =3D
212.5.162.100/32, # dc230
212.5.162.101/32, # printserver
212.5.162.102/32, # kyocera
212.5.162.103/32; # docucolor

if SourcePeerType =3D=3D IP
{ if SourcePeerAddress =3D=3D (Printer_IPs) || DestPeerAddress
=3D=3D(Printer_IPs)
{
ignore; # ignore Traffic from to printer
}
else
{
save SourcePeerType;
save SourcePeerAddress/32;
save DestPeerAddress/32;
save SourceTransType;
save SourceTransAddress/16;
save DestTransAddress/16;
} # save traffic !!
}
else
{
ignore;
#=20
}
count;
#
SET 2;
#
Format
flowruleset flowindex firsttime lasttime SourcePeerType sourcetranstype
SourcePeerAddress DestPeerAddress sourcetransaddress
desttransaddress ToOctets FromOctets;
=20

From netramet-owner Wed Jun 27 00:21:42 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id AAA04196
for netramet-outgoing; Wed, 27 Jun 2001 00:17:12 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id AAA04190;
Wed, 27 Jun 2001 00:17:10 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP
id C6E425D72; Mon, 25 Jun 2001 17:04:21 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]>;
Mon, 25 Jun 2001 18:46:04 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP
id 15C5E36B8; Mon, 25 Jun 2001 17:01:51 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8CSM>; Mon, 25 Jun 2001 17:00:31 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D384E@NTSERVER>
From: Sean Kelly <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Monitoring and reporting network usage - dropped packets
Date: Mon, 25 Jun 2001 17:00:29 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Hi all,

Thanks again to all those who sent advice and comments regarding my
last post. They are greatly appreciated :)

Something that was questioned in the last conversation was whether
any packets were being dropped. Some people (Peter Van Epp was at least one
of them) mentioned that 'tcpdump' may report dropping packets when the
kernel will not.

After letting 'tcpdump' run for just over a minute I get:

36510 packets received by filter
35519 packets dropped by kernel

so does this mean that I'm losing about 97% of packets? I ran 'tcpdump' at
the same time my monitoring software was running - does this influence the
dropping of packets?

Thanks in advance,

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Wed Jun 27 02:48:37 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA19248
for netramet-outgoing; Wed, 27 Jun 2001 02:46:41 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA19235
for <[email protected]>; Wed, 27 Jun 2001 02:46:39 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP id 49AAD5D72
for <[email protected]>; Tue, 26 Jun 2001 15:46:31 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]>;
Tue, 26 Jun 2001 17:32:28 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP
id 671D836C4; Tue, 26 Jun 2001 15:46:30 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8CZH>; Tue, 26 Jun 2001 15:45:10 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D3883@NTSERVER>
From: Sean Kelly <[email protected]>
To: "'[email protected]'" <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: RE: Monitoring and reporting network usage - dropped packets
Date: Tue, 26 Jun 2001 15:45:08 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: Peter Van Epp [mailto:[email protected]]
> Sent: 26 June 2001 3:40 pm
> To: [email protected]
> Subject: Re: Monitoring and reporting network usage - dropped packets
>
>
> Yep, the bpf buffer (between the kernel and libpcap) is
> overwriting around %50 of the packets offered to it.

So would this mean that my 'Snuffle' application is only getting
half the packets that are actually on the wire?

Additionally, does it matter if you run more than one application
collecting packets from the buffer?

> You need to boost the bpf buffer size and/or get a faster machine.

This is a 600Mhz machine. It has been mentioned that the NIC is
poor, so I will replace this and try to boost the buffer too.

Thanks for the comments, I think I am finally seeing the light on
this :)

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Wed Jun 27 02:53:36 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA19860
for netramet-outgoing; Wed, 27 Jun 2001 02:52:31 +1200 (NZST)
Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA19853
for <[email protected]>; Wed, 27 Jun 2001 02:52:29 +1200 (NZST)
Received: from wncs.zrz.tu-berlin.de ([130.149.2.12])
by mail.zrz.tu-berlin.de with esmtp (exim-3.30)
for <[email protected]>
id 15EuCG-0006od-00; Tue, 26 Jun 2001 16:52:08 +0200
Received: from wncs.zrz.TU-Berlin.DE by wncs.zrz.TU-Berlin.DE (8.8.8/ZRZ-Gen-8)
with ESMTP id QAA19917 for <[email protected]>;
Tue, 26 Jun 2001 16:52:07 +0200 (MET DST)
Message-Id: <[email protected]>
X-Mailer: exmh version 2.1.1 10/15/1999
To: [email protected]
Subject: Re: Monitoring and reporting network usage - dropped packets
In-reply-to: Your message of "Mon, 25 Jun 2001 17:00:29 BST"
<8B12F6A1231DD411A70600A0CC68AFC50D384E@NTSERVER>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 26 Jun 2001 16:52:07 +0200
From: Dieter Kasielke <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello Sean,

i think it means that you loose about 50%, still too much for my taste.
Regarding the resources used: I see something like 4% additional CPU
usage doing a "tcpdump -w file" on a machine running only netramet,
which (including kernel activity) takes about 30% CPU time measuring
12k packets/s (PC, 800MHz P-III, OpenBSD).

hope this helps a little, Dieter

On Mon, 25 Jun 2001 17:00:29 BST Sean Kelly wrote:
> Hi all,
>
> Thanks again to all those who sent advice and comments regarding my
> last post. They are greatly appreciated :)
>
> Something that was questioned in the last conversation was whether
> any packets were being dropped. Some people (Peter Van Epp was at least one
> of them) mentioned that 'tcpdump' may report dropping packets when the
> kernel will not.
>
> After letting 'tcpdump' run for just over a minute I get:
>
> 36510 packets received by filter
> 35519 packets dropped by kernel
>
> so does this mean that I'm losing about 97% of packets? I ran 'tcpdump' at
> the same time my monitoring software was running - does this influence the
> dropping of packets?
>
> Thanks in advance,
>
> --
> Sean Kelly <[email protected]>
>
>
>
> *************************************************************
> This email message has been scanned by MIMEsweeper for the
> presence of computer viruses by www.viruscleaningcentre.co.uk
> Hosted by the North East Datacentre www.ne-datacentre.co.uk
> *************************************************************

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Wed Jun 27 03:49:31 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA25919
for netramet-outgoing; Wed, 27 Jun 2001 03:47:42 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA25910
for <[email protected]>; Wed, 27 Jun 2001 03:47:40 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP id F05EA5D73
for <[email protected]>; Tue, 26 Jun 2001 16:47:31 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]>;
Tue, 26 Jun 2001 16:47:10 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP
id 6183C36C3; Tue, 26 Jun 2001 16:47:31 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8CZW>; Tue, 26 Jun 2001 16:46:11 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D3884@NTSERVER>
From: Sean Kelly <[email protected]>
To: "'Peter Van Epp'" <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: RE: Monitoring and reporting network usage - dropped packets
Date: Tue, 26 Jun 2001 16:46:10 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: Peter Van Epp [mailto:[email protected]]
> Subject: Re: Monitoring and reporting network usage - dropped packets
>
> How much memory in the machine? If you are swapping due
> to low memory that will also kill performance.

'top' says:

Mem: 22M Active, 15M Inact, 10M Wired, 3112K Cache, 12M Buf, 1284K Free

and the machine has 64Mb SDRAM with 8Mb being used by the onboard graphics
card.

Thanks,

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Wed Jun 27 04:02:46 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA27416
for netramet-outgoing; Wed, 27 Jun 2001 04:01:43 +1200 (NZST)
Received: from rm-rstar.sfu.ca ([email protected] [142.58.120.21])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA27408
for <[email protected]>; Wed, 27 Jun 2001 04:01:41 +1200 (NZST)
Received: from fraser.sfu.ca ([email protected] [142.58.101.25])
by rm-rstar.sfu.ca (8.10.1/8.10.1/SFU-5.0H) with ESMTP id f5QG1ee16714
for <[email protected]>; Tue, 26 Jun 2001 09:01:40 -0700 (PDT)
From: Peter Van Epp <[email protected]>
Received: (from vanepp@localhost)
by fraser.sfu.ca (8.9.2/8.9.2/SFU-5.0C) id JAA21725
for [email protected]; Tue, 26 Jun 2001 09:01:39 -0700 (PDT)
Message-Id: <[email protected]>
Subject: Re: Monitoring and reporting network usage - dropped packets
To: [email protected]
Date: Tue, 26 Jun 2001 09:01:39 -0700 (PDT)
In-Reply-To: <8B12F6A1231DD411A70600A0CC68AFC50D3883@NTSERVER> from "Sean Kelly" at Jun 26, 2001 03:45:08 PM
X-Mailer: ELM [version 2.5 PL4]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

While I answered this directly I'll summarize briefly in case there
is interest to more people on this list.

>
> > -----Original Message-----
> > From: Peter Van Epp [mailto:[email protected]]
> > Sent: 26 June 2001 3:40 pm
> > To: [email protected]
> > Subject: Re: Monitoring and reporting network usage - dropped packets
> >
> >
> > Yep, the bpf buffer (between the kernel and libpcap) is
> > overwriting around %50 of the packets offered to it.
>
> So would this mean that my 'Snuffle' application is only getting
> half the packets that are actually on the wire?

Yep, or less. The interface can also be losing packets below the
kernel to bpf layer which won't show up in this count. The interface stats
should show something like overuns in such a case.

>
> Additionally, does it matter if you run more than one application
> collecting packets from the buffer?
>

Yep, more applications less time to get back to clear the buffer before
it is overwritten.

> > You need to boost the bpf buffer size and/or get a faster machine.
>
> This is a 600Mhz machine. It has been mentioned that the NIC is
> poor, so I will replace this and try to boost the buffer too.

Get a 3Com 3C905B, boost the bpf buffer size and possibly add more
memory to the machine (because low memory and swapping are deadly to
performance). O
In addition tcpreplay (http://www.anzen.com/research/nidsbench) will
replay a tcpdump file (at variable speed) giving you a known number of
packets to assess loss end to end. I have a patch set to let it build more
easily on current versions of FreeBSD/libnet (and mods to allow it to do
full duplex).
I should note in addition that there is a bug in bpf in FreeBSD
if your application is using the select system call (rather than polling as
tcpdump does) which will also quietly lose data. I have a patch for that as
well (or it is in the FreeBSD pr on the problem, if you search the bug data
base for bpf).

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

From netramet-owner Wed Jun 27 04:10:42 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA27923
for netramet-outgoing; Wed, 27 Jun 2001 04:09:25 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA27915
for <[email protected]>; Wed, 27 Jun 2001 04:09:24 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP id 14DA55D72
for <[email protected]>; Tue, 26 Jun 2001 17:09:21 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <[email protected]>;
Tue, 26 Jun 2001 17:09:00 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP id 61B4636C3
for <[email protected]>; Tue, 26 Jun 2001 17:09:20 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8C5D>; Tue, 26 Jun 2001 17:08:00 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D3888@NTSERVER>
From: Sean Kelly <[email protected]>
To: "'[email protected]'" <[email protected]>
Subject: RE: Monitoring and reporting network usage - dropped packets
Date: Tue, 26 Jun 2001 17:07:59 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: Dieter Kasielke [mailto:[email protected]]
> Subject: Re: Monitoring and reporting network usage - dropped packets
>
>
> Hello Sean,
>
> i think it means that you loose about 50%, still too much for
> my taste.
> Regarding the resources used: I see something like 4% additional CPU
> usage doing a "tcpdump -w file" on a machine running only netramet,
> which (including kernel activity) takes about 30% CPU time measuring
> 12k packets/s (PC, 800MHz P-III, OpenBSD).
>
> hope this helps a little, Dieter

Losing 50% is poor. We are trialing this setup so that we can bill
our clients for bandwidth used per IP. If we're losing 50% of packets then
there is no way we can bill people accurately.

Thanks for your input,

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Wed Jun 27 04:52:16 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA02286
for netramet-outgoing; Wed, 27 Jun 2001 04:50:42 +1200 (NZST)
Received: from complx.LF.net ([212.118.165.200])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA02278
for <[email protected]>; Wed, 27 Jun 2001 04:50:40 +1200 (NZST)
Received: by complx.LF.net (Smail3.2.0.111/complx.LF.net)
via LF.net GmbH Internet Services
for mailhost.auckland.ac.nz
id m15Ew2v-002d62C; Tue, 26 Jun 2001 18:50:37 +0200 (CEST)
Date: Tue, 26 Jun 2001 18:50:37 +0200
From: Kurt Jaeger <[email protected]>
To: Sean Kelly <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: Re: Monitoring and reporting network usage - dropped packets
Message-ID: <[email protected]>
References: <8B12F6A1231DD411A70600A0CC68AFC50D3888@NTSERVER>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <8B12F6A1231DD411A70600A0CC68AFC50D3888@NTSERVER>; from [email protected] on Tue, Jun 26, 2001 at 05:07:59PM +0100
Sender: [email protected]
Precedence: bulk

Hi!

> > i think it means that you loose about 50%, still too much for
> > my taste.
> > Regarding the resources used: I see something like 4% additional CPU
> > usage doing a "tcpdump -w file" on a machine running only netramet,
> > which (including kernel activity) takes about 30% CPU time measuring
> > 12k packets/s (PC, 800MHz P-III, OpenBSD).

> > hope this helps a little, Dieter
>
> Losing 50% is poor. We are trialing this setup so that we can bill
> our clients for bandwidth used per IP. If we're losing 50% of packets then
> there is no way we can bill people accurately.

I modified tcpdump (newest version) to be quite efficient in bean-counting.

ftp://ftp.LF.net/pub/unix/systems/FreeBSD/sw/ipcount-2.0-i386_fbsd4.tgz

We use it on core.LF.net and core2.LF.net with 6 to 12 ethernet interfaces
(ipcount is running on 2-3 interfaces). These are our central routers,
almost all traffic (> 10mbit/sec sustained) is running over core2 now.

core$ uptime
7:53PM up 1140 days, 12 mins, 1 user, load averages: 0.00, 0.00, 0.00
c2$ uptime
6:48PM up 145 days, 23:49, 3 users, load averages: 0.23, 0.21, 0.17

Yes, I would rather like to use netramet for this, but at least the
last four years I did not find the time to get behind the trick to use it
for bean-counting 8-(

--
MfG/Best regards, Kurt Jaeger 19 years to go !
LF.net GmbH [email protected] Oberon.net GmbH [email protected]
Vor dem Lauch 23 fon +49 711 90074-23 Georg-Glock-Str.14 fon +49 171 3101372
D-70567 Stuttgart fax +49 711 90074-33 40474 Duesseldorf +49 211 179253-11

From netramet-owner Thu Jun 28 02:20:56 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA24871
for netramet-outgoing; Thu, 28 Jun 2001 02:17:32 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA24866
for <[email protected]>; Thu, 28 Jun 2001 02:17:29 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP id 7C5115D73
for <[email protected]>; Wed, 27 Jun 2001 15:17:22 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]>;
Wed, 27 Jun 2001 15:20:22 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP
id B090C36B8; Wed, 27 Jun 2001 15:17:21 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8DBC>; Wed, 27 Jun 2001 15:16:01 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D38B8@NTSERVER>
From: Sean Kelly <[email protected]>
To: "'Kurt Jaeger'" <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: RE: Monitoring and reporting network usage - dropped packets
Date: Wed, 27 Jun 2001 15:15:54 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: Kurt Jaeger [mailto:[email protected]]
> Sent: 26 June 2001 5:51 pm
> To: Sean Kelly
> Cc: '[email protected]'
> Subject: Re: Monitoring and reporting network usage - dropped packets
>
> I modified tcpdump (newest version) to be quite efficient in
> bean-counting.
>
> ftp://ftp.LF.net/pub/unix/systems/FreeBSD/sw/ipcount-2.0-i386_fbsd4.tgz
>
> We use it on core.LF.net and core2.LF.net with 6 to 12
> ethernet interfaces
> (ipcount is running on 2-3 interfaces). These are our central routers,
> almost all traffic (> 10mbit/sec sustained) is running over core2 now.

That sounds interesting. Would I need to make any other
modifications to the system, such as the bpf buffer size that a lot of
people have mentioned? What kind of reports does your software produce?

Thanks,

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Thu Jun 28 02:21:36 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA25049
for netramet-outgoing; Thu, 28 Jun 2001 02:20:15 +1200 (NZST)
Received: from virus-out.office-mail.co.uk ([email protected] [217.15.160.67])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA25044
for <[email protected]>; Thu, 28 Jun 2001 02:20:14 +1200 (NZST)
Received: from mailsweeper2.office-mail.co.uk (mailsweeper2.office-mail.co.uk [217.15.160.65])
by virus-out.office-mail.co.uk (Postfix) with ESMTP id 4204A5D73
for <[email protected]>; Wed, 27 Jun 2001 15:20:12 +0100 (BST)
Received: from virus-in.office-mail.co.uk (virus-in.office-mail.co.uk) by mailsweeper2.office-mail.co.uk
(Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]>;
Wed, 27 Jun 2001 15:23:12 +0100
Received: from ntserver.office-mail.co.uk (ghostmailaddress.office-mail.co.uk [217.15.160.49])
by virus-in.office-mail.co.uk (Postfix) with ESMTP
id AE21C36B8; Wed, 27 Jun 2001 15:20:11 +0100 (BST)
Received: by NTSERVER with Internet Mail Service (5.5.2650.21)
id <M0GJ8DBD>; Wed, 27 Jun 2001 15:18:51 +0100
Message-ID: <8B12F6A1231DD411A70600A0CC68AFC50D38B9@NTSERVER>
From: Sean Kelly <[email protected]>
To: "'Peter Van Epp'" <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: RE: Monitoring and reporting network usage - dropped packets
Date: Wed, 27 Jun 2001 15:18:42 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

> -----Original Message-----
> From: Peter Van Epp [mailto:[email protected]]
> Sent: 26 June 2001 3:40 pm
> To: [email protected]
> Subject: Re: Monitoring and reporting network usage - dropped packets
>
>
> Yep, the bpf buffer (between the kernel and libpcap) is
> overwriting around %50 of the packets offered to it. You need to
> boost the bpf buffer size and/or get a faster machine. You will find
> the counter it is referring to in /sys/net/bpf.c in the kernel.
[SNIP]

What applications would this require me to recompile? Would I have
to modify the kernel at all? Thanks,

--
Sean Kelly <[email protected]>

*************************************************************
This email message has been scanned by MIMEsweeper for the
presence of computer viruses by www.viruscleaningcentre.co.uk
Hosted by the North East Datacentre www.ne-datacentre.co.uk
*************************************************************

From netramet-owner Thu Jun 28 02:22:50 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA25110
for netramet-outgoing; Thu, 28 Jun 2001 02:21:29 +1200 (NZST)
Received: from complx.LF.net ([212.118.165.200])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA25105
for <[email protected]>; Thu, 28 Jun 2001 02:21:27 +1200 (NZST)
Received: by complx.LF.net (Smail3.2.0.111/complx.LF.net)
via LF.net GmbH Internet Services
for mailhost.auckland.ac.nz
id m15FGC4-002d62C; Wed, 27 Jun 2001 16:21:24 +0200 (CEST)
Date: Wed, 27 Jun 2001 16:21:24 +0200
From: Kurt Jaeger <[email protected]>
To: Sean Kelly <[email protected]>
Cc: "'[email protected]'" <[email protected]>
Subject: Re: Monitoring and reporting network usage - dropped packets
Message-ID: <[email protected]>
References: <8B12F6A1231DD411A70600A0CC68AFC50D38B8@NTSERVER>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <8B12F6A1231DD411A70600A0CC68AFC50D38B8@NTSERVER>; from [email protected] on Wed, Jun 27, 2001 at 03:15:54PM +0100
Sender: [email protected]
Precedence: bulk

Hi!

> > I modified tcpdump (newest version) to be quite efficient in
> > bean-counting.
[...]
> That sounds interesting. Would I need to make any other
> modifications to the system, such as the bpf buffer size that a lot of
> people have mentioned?

Increasing the BPF would help, depending on the load and your
hardware.

> What kind of reports does your software produce?

one ascii file per time interval, containing

<source-ip,dest-ip,bytes,packets>

Example:

[...]
212.9.160.1 64.39.29.212 53 1
[...]

53 bytes, looks like a DNS query.

--
MfG/Best regards, Kurt Jaeger 19 years to go !
LF.net GmbH [email protected] Oberon.net GmbH [email protected]
Vor dem Lauch 23 fon +49 711 90074-23 Georg-Glock-Str.14 fon +49 171 3101372
D-70567 Stuttgart fax +49 711 90074-33 40474 Duesseldorf +49 211 179253-11

From netramet-owner Fri Jun 29 07:02:20 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id GAA19555
for netramet-outgoing; Fri, 29 Jun 2001 06:58:19 +1200 (NZST)
Received: from correo2 ([157.238.87.78])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id GAA19549
for <[email protected]>; Fri, 29 Jun 2001 06:58:17 +1200 (NZST)
From: [email protected]
Received: from qoslabs.com (localhost [127.0.0.1])
by correo2.qoslabs.com (iPlanet Messaging Server 5.0 Patch 2 (built Dec 14
2000)) with ESMTP id <[email protected]> for
[email protected]; Thu, 28 Jun 2001 14:58:12 -0400 (EDT)
Received: from [200.64.170.252] by correo2.qoslabs.com (mshttpd); Thu,
28 Jun 2001 13:58:12 -0500
Date: Thu, 28 Jun 2001 13:58:12 -0500
Subject: ldap
To: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
X-Mailer: iPlanet Webmail
Content-type: text/plain; charset=us-ascii
Content-language: en
Content-transfer-encoding: 7BIT
Content-disposition: inline
X-Accept-Language: en
Sender: [email protected]
Precedence: bulk

I would like to know if somebody is working (or planning to do it) in a
way to use a ldap server like a rules repository. In our enviroment we
are using the ldap to storage all the policy information rules and I
have software who read that policies from the ldap server and apply it
into the network devices and servers.

I'm thinking in a scenario with multiples meters and a central
repository with all the rules.

Thanks in advance