From netramet-owner Fri Dec 7 20:57:38 2001

From netramet-owner Fri Dec 7 20:57:38 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id UAA07096
for netramet-outgoing; Fri, 7 Dec 2001 20:52:20 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id UAA07081
for <[email protected]>; Fri, 7 Dec 2001 20:52:15 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Thu, 6 Dec 2001 23:51:14 -0800 (PST)
From: [email protected]
Subject: New NeTraMet beta available
To: [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

Hello all:

NeTraMet 4.4 will be released within the next few weeks. I've put the
final beta version of it, NeTraMet44b11.tar.gz in the beta-versions
directory on the distribution site (reach it via the NeTraMet web site,
www.auckland.ac.nz/net/NeTraMet).

Note that we have a new distribution site in Australia:
http://planetmirror.com/pub/netramet/
ftp://planetmirror.com/pub/netramet/
This is mirroring the main Auckland NeTraMet site.

4.4 implements quite a few new features, mostly relating to versions
of the NeTraMet which handle high-speed interface cards, i.e. the
Dag cards from the WAND group at Waikato, and other cards supported
by CAIDA's CoralReef traffic analysis package.

It also implements LfapMet, a version of the meter which uses LFAP
data as input; this could be very useful if you have a router (e.g.
from Enterasys) which exports LFAP.

Details of changes are given in the release notes file, i.e.
NeTraMet44b11/doc/NeTraMet/version.history.

The packet matching code in 4.4 has been very carefully polished, and
a new hashing algorithm implemented, so as to increase its
traffic-handling capacity. On a 1 GHz Pentium with two Dag4 cards
attached to an OC48 (2.4 Gb/s) link, NeTraMet 4.4 has been used to
run two rulesets, metering traffic loads around 900 Mb/s and
200 kp/s (5-second average rates), and coping with peaks of 400 kp/s.

I have tested NeTraMet, NeMaC, srl, fd_filter, etc. on Linux, Solaris
and Tru-64 (Alpha). LfapMet has also been tested. I need testing
reports from users on all the meters, especially for NetFlowMet (which
I am unable to test myself). Do please download 44b11, try it, and
send me a note reporting either that is works fine, or reporting any
problems you encounter. I won't add any further new features to 4.4.
As soon as I have enough test reports to be confident, I'll release
a production version.

Cheers, Nevil

-----------------------------------------------------------------------
Nevil Brownlee Director, Technology Development
Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland
FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand

From netramet-owner Sat Dec 8 02:29:12 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA09344
for netramet-outgoing; Sat, 8 Dec 2001 02:28:06 +1300 (NZDT)
Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA09335;
Sat, 8 Dec 2001 02:28:03 +1300 (NZDT)
Received: from wncs.zrz.tu-berlin.de ([130.149.2.12])
by mail.zrz.tu-berlin.de with smtp (exim-3.33)
id 16CL2H-0002MO-00; Fri, 07 Dec 2001 14:27:29 +0100
Received: from wncs.zrz.TU-Berlin.DE by wncs.zrz.TU-Berlin.DE (8.8.8/ZRZ-Gen-8)
with ESMTP id OAA01879;
Fri, 7 Dec 2001 14:27:28 +0100 (MET)
Message-Id: <[email protected]>
X-Mailer: exmh version 2.1.1 10/15/1999
To: [email protected]
Cc: [email protected]
Subject: Re: New NeTraMet beta available
In-reply-to: Your message of "Thu, 06 Dec 2001 23:51:14 PST"
<[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 07 Dec 2001 14:27:27 +0100
From: Dieter Kasielke <[email protected]>
Sender: [email protected]
Precedence: bulk

On Thu, 06 Dec 2001 23:51:14 PST [email protected] wrote:
> ...
> ... Do please download 44b11, try it, and
> send me a note reporting either that is works fine, or reporting any
> problems you encounter.

Hello Nevil

trying to compile it under Linux, i got two errors: 2 comment signs (#)
are missing in "src/meter/Makefile.in" ca. lines 35 - 40. The lines look:
(configured with Dag support))
(usually stdin)
After adding a # at the start of line, "make" and "make install"
complete without errors.

Thanks for the new release, looks really interesting.
Dieter

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Sat Dec 8 04:06:28 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA18885
for netramet-outgoing; Sat, 8 Dec 2001 04:05:44 +1300 (NZDT)
Received: from fdpnmailgw1.mailgws.com (fdpnmailgw1.dpn.deere.com [192.43.65.82] (may be forged))
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id EAA18880;
Sat, 8 Dec 2001 04:05:41 +1300 (NZDT)
Received: from 164.121.15.19 by fdpnmailgw1.mailgws.com with ESMTP (
Tumbleweed MMS SMTP Relay (MMS v4.7)); Fri, 07 Dec 2001 09:05:09 -0600
X-Server-Uuid: 2d3b7162-db1d-11d3-b8ee-0008c7dfb6f1
Received: by edxgw1.dx.deere.com with Internet Mail Service (5.5.2653.19
) id <YGZFH630>; Fri, 7 Dec 2001 09:05:09 -0600
Message-ID: <[email protected]>
From: "Riaz Nadeem" <[email protected]>
To: [email protected]
cc: [email protected]
Subject: RE: New NeTraMet beta available
Date: Fri, 7 Dec 2001 09:05:01 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 100E052F21301-01-01
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

I am using the NetFlowMet 4.3 now. I would be interested in testing the 4.4.
I downloaded the 44b5 but I see you are referring to 44b11 in your note. Let
me know if the 44b5 is what we need to test.

REGARDS,
NADEEM RIAZ

-----Original Message-----
From: Dieter Kasielke [mailto:[email protected]]
Sent: Friday, December 07, 2001 7:27 AM
To: [email protected]
Cc: [email protected]
Subject: Re: New NeTraMet beta available

On Thu, 06 Dec 2001 23:51:14 PST [email protected] wrote:
> ...
> ... Do please download 44b11, try it, and
> send me a note reporting either that is works fine, or reporting any
> problems you encounter.

Hello Nevil

trying to compile it under Linux, i got two errors: 2 comment signs (#)
are missing in "src/meter/Makefile.in" ca. lines 35 - 40. The lines look:
(configured with Dag support))
(usually stdin)
After adding a # at the start of line, "make" and "make install"
complete without errors.

Thanks for the new release, looks really interesting.
Dieter

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Sat Dec 8 14:31:30 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id OAA21707
for netramet-outgoing; Sat, 8 Dec 2001 14:29:19 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id OAA21700;
Sat, 8 Dec 2001 14:29:16 +1300 (NZDT)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id RAA16484;
Fri, 7 Dec 2001 17:29:01 -0800 (PST)
Date: Fri, 7 Dec 2001 17:29:01 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Riaz Nadeem <[email protected]>
cc: [email protected], <[email protected]>
Subject: RE: New NeTraMet beta available
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Riaz:

> I am using the NetFlowMet 4.3 now. I would be interested in testing the 4.4.
> I downloaded the 44b5 but I see you are referring to 44b11 in your note. Let
> me know if the 44b5 is what we need to test.

beta-versions/44b11 os what I'd like you to test. That's now the
only version on the distribution site.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

From netramet-owner Sat Dec 8 14:38:40 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id OAA23076
for netramet-outgoing; Sat, 8 Dec 2001 14:38:36 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id OAA23071;
Sat, 8 Dec 2001 14:38:33 +1300 (NZDT)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id RAA16476;
Fri, 7 Dec 2001 17:27:18 -0800 (PST)
Date: Fri, 7 Dec 2001 17:27:18 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Dieter Kasielke <[email protected]>
cc: [email protected], <[email protected]>
Subject: Re: New NeTraMet beta available
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Dieter:

> trying to compile it under Linux, i got two errors: 2 comment signs (#)
> are missing in "src/meter/Makefile.in" ca. lines 35 - 40. The lines look:
> (configured with Dag support))
> (usually stdin)
> After adding a # at the start of line, "make" and "make install"
> complete without errors.
>
> Thanks for the new release, looks really interesting.

Thanks for the bug report, I've fixed that in the file on the
distribution site.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

From netramet-owner Tue Dec 18 19:58:42 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id TAA16074
for netramet-outgoing; Tue, 18 Dec 2001 19:53:54 +1300 (NZDT)
Received: from staff-mail.highway1.com.au (staff-mail.highway1.net.au [203.32.127.95] (may be forged))
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id TAA16069
for <[email protected]>; Tue, 18 Dec 2001 19:53:53 +1300 (NZDT)
Received: from [203.32.127.151] (cliff.highway1.com.au [203.32.127.151])
by staff-mail.highway1.com.au (8.11.6/8.11.6) with ESMTP id fBI6rrH05011
for <[email protected]>; Tue, 18 Dec 2001 14:53:53 +0800 (WST)
Mime-Version: 1.0
X-Sender: [email protected]
Message-Id: <a05101003b84493dc5e7f@[203.32.127.151]>
Date: Tue, 18 Dec 2001 14:52:15 +0800
To: [email protected]
From: Cliff Tindall <[email protected]>
Subject: NetFlowMet
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: [email protected]
Precedence: bulk

Hi,
I am new to the list, but have been using NetRaMet for a few
years, and we use the output for accounting and tracking purposes.

With the growth of our network, we recently started using Cisco's netflow data.

We are running both systems side by side, and the server collating
the NetFlow data measures less traffic, and often in only one
direction. Commands on the routers show that the information is being
recieved by the collector, and in one test case one router shows the
traffic for one direction and another router shows the flows for the
other direction. Our recorded data, does not contain both flows.

Here is a cut down version of our rules file.... It does exactly what
we want on the NeTraMet server but not on the NetFlowMet server

Here is what we get from NetFlowMet
%grep 203.32.124.20 203.7.224.14.flows.001 | more
37 100422951 203.32.124.20 208.244.255.9 3504 6504 56820 0
756 104380092 203.32.124.20 208.244.255.9 2001 5001 4358 0
6769 102689609 203.32.124.20 208.244.255.9 3502 6502 34104 0
7087 107629855 203.32.124.20 208.244.255.9 3501 6501 30980 0

And from NeTraMet
stats:cliff 126> grep 203.32.124.20 203.23.219.6.flows.001 | more
865 1202661739 203.32.124.20 208.244.255.9 3504 6504 113820 113820
941 1202663116 203.32.124.20 208.244.255.9 3501 6501 311625 307020
944 1202663128 203.32.124.20 208.244.255.9 3502 6502 691125 677368

I would be glad for any input on this one :-)

#Source file: highway1-master.nevil-brownlee.srl
#Compiled by: SRL compiler, version 4.3
#Time: 11:52:16 Thu 1 Jun 2000
sourcepeertype & 255.0 = 1.0: goto, a1;
null & 0 = 0: gotoact, n1;
n1:
null & 0 = 0: ignore, 0;
g1:
sourcepeeraddress & 255.255.252 = 203.32.124: goto, a2;
sourcepeeraddress & 255.255.255 = 203.32.66: goto, a2;
sourcepeeraddress & 255.255.255 = 203.31: goto, a2;
sourcepeeraddress & 255.255.255 = 203.56.102: goto, a2;
null & 0 = 0: gotoact, n3;
n3:
g3:
null & 0 = 0: nomatch, 0;
a1:
sourcetransaddress & 255.255 = 0.53: ignore, 0;
desttransaddress & 255.255 = 0.53: ignore, 0;
null & 0 = 0: gotoact, n2;
n2:
sourcetransaddress & 255.255 = 0.0: pushpkttoact, next;
desttransaddress & 255.255 = 0.0: pushpkttoact, next;
sourcepeertype & 255.0 = 0.0: pushpkttoact, next;
null & 0 = 0: goto, g1;
a2:
destpeeraddress & 255.255.252 = 203.32.124: ignore, 0;
destpeeraddress & 255.255.255 = 203.32.66: ignore, 0;
destpeeraddress & 255.255.255 = 203.31: ignore, 0;
destpeeraddress & 255.255.255 = 203.56.102: ignore, 0;
null & 0 = 0: gotoact, n4;
n4:
sourcepeeraddress & 255.255.255.255 = 0.0: pushpkttoact, next;
destpeeraddress & 255.255.255.255 = 0.0: pushpkttoact, next;
null & 0 = 0: count, 0;
set 5;
format
flowindex firsttime " " sourcepeeraddress destpeeraddress " "
sourcetransaddress desttransaddress " " tooctets fromoctets;
statistics;
--
Cliff Tindall
Technical Manager
Highway1 (Aust) Pty Ltd
Phone: (08) 94888999
Fax: (08) 94888900

From netramet-owner Wed Dec 19 22:03:16 2001
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA16310
for netramet-outgoing; Wed, 19 Dec 2001 21:57:44 +1300 (NZDT)
Received: from junk.tsinet.ru (junk.tsinet.ru [195.34.38.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA16304
for <[email protected]>; Wed, 19 Dec 2001 21:57:41 +1300 (NZDT)
Received: from junk.tsinet.ru (localhost [127.0.0.1])
by junk.tsinet.ru (8.12.0/8.12.0) with ESMTP id fBJ8mPVi030468
for <[email protected]>; Wed, 19 Dec 2001 11:48:25 +0300 (MSK)
Received: (from pvk@localhost)
by junk.tsinet.ru (8.12.0/8.12.0/Submit) id fBJ8mN3S020618
for [email protected]; Wed, 19 Dec 2001 11:48:23 +0300 (MSK)
Date: Wed, 19 Dec 2001 11:48:23 +0300
From: Pavel Korovin <[email protected]>
To: [email protected]
Subject: "mask" attributes in FORMAT statement (srl issue)
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.21i
Sender: [email protected]
Precedence: bulk

Not sure if it's a bug, but I've got the following error with such FORMAT
in .srl file:
11:41:32 Wed 19 Dec 2001: Compiling rules-01.srl
rules-01.srl 28: SourcePeerAddress SourcePeerMask DestPeerAddress DestPeerMask
^^^^^^^^^^^^^^
ERROR >>>> Attribute not allowed in FORMAT
^^^^^^^^^^^^
ERROR >>>> Attribute not allowed in FORMAT

rules-01.srl compiled: 2 errors and 0 warnings

Why can't we use mask attributes like SourcePeerMask and DestPeerMask in FORMAT
statement? It can make sense if for example we post-process and pull the
flow data to PostgreSQL database (PostgreSQL RDBM has inet type for network
addresses).

--
Pavel Korovin