From netramet-owner Fri Jan 4 05:37:34 2002

From netramet-owner Fri Jan 4 05:37:34 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA06619
for netramet-outgoing; Fri, 4 Jan 2002 05:34:14 +1300 (NZDT)
Received: from eccmc3.cmc.ec.gc.ca (eccmc3.cmc.ec.gc.ca [142.135.5.60])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA06612;
Fri, 4 Jan 2002 05:34:11 +1300 (NZDT)
Received: by eccmc3.cmc.ec.gc.ca with Internet Mail Service (5.5.2653.19)
id <Y6DQ9C61>; Thu, 3 Jan 2002 11:33:35 -0500
Message-ID: <[email protected]>
From: "Sullivan,Deric [CMC]" <[email protected]>
To: "'[email protected]'" <[email protected]>
Cc: "Sullivan,Deric [CMC]" <[email protected]>,
"'[email protected]'" <[email protected]>
Subject: FW: Is 0 a valid return value for a variable with "SYNTAX Intege
r32 (1..255)"
Date: Thu, 3 Jan 2002 11:33:35 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Hi Nevil,

I'm trying to implement an RTFM meter reader that reads from your
NetFlowMet and NeTraMet and stores the data into a PostgreSQL database.
While creating the database table that would represent the flowDataEntry MIB
table I ran into a problem. I added contraints on the database table that
matched the MIB, which meant, for example, that flowDataSourceTransType
could only have a value of between 1 and 255 inclusive. However, the meter
(running NeTraMet ver 4.4b11) can return a value of zero for a
flowDataSourceTransType instance. Although I see the need for the return
value of zero, I don't think it should be allowed according to the MIB
(defined in RFC2720). Should the MIB be modified?

Below is a copy of an letter I sent out to an SNMP mailling list.
The replies that I got indicated that 0 was not a valid reply for a MIB
variable using that specific syntax.

Thanks,
Deric Sullivan

-----Original Message-----
From: Deric Sullivan [mailto:[email protected]]
Sent: Wednesday, October 17, 2001 4:05 PM
Subject: Is 0 a valid return value for a variable with "SYNTAX Integer32
(1..255)"

Hello,

Is 0 a valid return value for a variable with "SYNTAX Integer32
(1..255)"? I used net-snmp's (ucd-snmp) snmpget application to get a
value from OID instance .1.3.6.1.2.1.40.2.1.1.11.4.875629944.3
(flowMIB.flowData.flowDataTable.flowDataEntry.flowDataSourceTransType.4.8756
29944.3)
and the value returned was 0. flowMIB is defined in RFC2720 and what I
think is the relevant part is copied below. In my particular example,
the return value of zero is letting me know that there is no Transport,
however I would have though that if zero could be returned then it would
have to be added in the range (e.g. "SYNTAX Integer32 (0..255)") and
something could have been added to the description to explain the use of
zero. If 0 is not a valid return value, is there any option to snmpget
that would tell it to warn me that the syntax range is not being
respected?

From netramet-owner Fri Jan 4 08:30:50 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA18465
for netramet-outgoing; Fri, 4 Jan 2002 08:30:08 +1300 (NZDT)
Received: from stimpy.networkrobots.com ([65.89.31.210])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA18455;
Fri, 4 Jan 2002 08:30:06 +1300 (NZDT)
Received: from vphalke (dhcp-2-172.networkrobots.com [192.168.2.172])
by stimpy.networkrobots.com (8.11.0/8.8.7) with SMTP id g03JTs620475;
Thu, 3 Jan 2002 11:29:54 -0800
From: "Vidya Phalke" <[email protected]>
To: "'Sullivan,Deric [CMC]'" <[email protected]>,
<[email protected]>
Cc: <[email protected]>
Subject: RE: Is 0 a valid return value for a variable with "SYNTAX Integer32 (1..255)"
Date: Thu, 3 Jan 2002 11:28:51 -0800
Message-ID: <009401c1948c$e0b587d0$ac02a8c0@vphalke>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
In-Reply-To: <[email protected]>
X-Logged: Logged by stimpy.networkrobots.com as g03JTs620475 at Thu Jan 3 11:29:54 2002
Sender: [email protected]
Precedence: bulk

Zero will be returned in the case these fields are not being
used by a ruleset to do classification. So possibly the MIB
definition should be changed to include 0 for the values of
all the following:

flowData
=========

flowData [Source,Dest] AdjacentType
flowData [Source,Dest] PeerType
flowData [Source,Dest] TransType
flowData [Source,Dest] AdjacentType
flowData [Source,Dest] Class
flowDataClass
flowData [Source,Dest] Kind
flowDataKind

Regards,
-Vidya

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Sullivan,Deric [CMC]
Sent: Thursday, January 03, 2002 8:34 AM
To: '[email protected]'
Cc: Sullivan,Deric [CMC]; '[email protected]'
Subject: FW: Is 0 a valid return value for a variable with "SYNTAX
Integer32 (1..255)"

Hi Nevil,

I'm trying to implement an RTFM meter reader that reads from your
NetFlowMet and NeTraMet and stores the data into a PostgreSQL database.
While creating the database table that would represent the flowDataEntry MIB
table I ran into a problem. I added contraints on the database table that
matched the MIB, which meant, for example, that flowDataSourceTransType
could only have a value of between 1 and 255 inclusive. However, the meter
(running NeTraMet ver 4.4b11) can return a value of zero for a
flowDataSourceTransType instance. Although I see the need for the return
value of zero, I don't think it should be allowed according to the MIB
(defined in RFC2720). Should the MIB be modified?

Below is a copy of an letter I sent out to an SNMP mailling list.
The replies that I got indicated that 0 was not a valid reply for a MIB
variable using that specific syntax.

Thanks,
Deric Sullivan

-----Original Message-----
From: Deric Sullivan [mailto:[email protected]]
Sent: Wednesday, October 17, 2001 4:05 PM
Subject: Is 0 a valid return value for a variable with "SYNTAX Integer32
(1..255)"

Hello,

Is 0 a valid return value for a variable with "SYNTAX Integer32
(1..255)"? I used net-snmp's (ucd-snmp) snmpget application to get a
value from OID instance .1.3.6.1.2.1.40.2.1.1.11.4.875629944.3
(flowMIB.flowData.flowDataTable.flowDataEntry.flowDataSourceTransType.4.8756
29944.3)
and the value returned was 0. flowMIB is defined in RFC2720 and what I
think is the relevant part is copied below. In my particular example,
the return value of zero is letting me know that there is no Transport,
however I would have though that if zero could be returned then it would
have to be added in the range (e.g. "SYNTAX Integer32 (0..255)") and
something could have been added to the description to explain the use of
zero. If 0 is not a valid return value, is there any option to snmpget
that would tell it to warn me that the syntax range is not being
respected?

From netramet-owner Sat Jan 5 04:17:07 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA03925
for netramet-outgoing; Sat, 5 Jan 2002 04:15:02 +1300 (NZDT)
Received: from nscorp.com (ns.nscorp.com [167.121.0.56])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA03920
for <[email protected]>; Sat, 5 Jan 2002 04:15:00 +1300 (NZDT)
Received: from svcs44.atldc.nscorp.com (svcs44-dmz [10.4.30.42])
by nscorp.com (8.9.2/8.9.3) with ESMTP id KAA26010
for <[email protected]>; Fri, 4 Jan 2002 10:09:30 -0500 (EST)
Received: from gaatlitexch03s.atldc.nscorp.com ([10.2.246.75])
by svcs44.atldc.nscorp.com (Netscape Messaging Server 4.15) with
ESMTP id GPF6CY00.B4Z for <[email protected]>; Fri, 4 Jan
2002 10:14:58 -0500
Received: by gaatlitexch03s.atldc.nscorp.com with Internet Mail Service (5.5.2653.19)
id <C2ZDQMW1>; Fri, 4 Jan 2002 10:11:46 -0500
Message-ID: <A0FE3C26377C714B9EE7BE3FAACE6CC066D5B6@gaatlitexch06s>
From: "Morgan, Chip E." <[email protected]>
To: "Netramet Mailing List (E-mail)" <[email protected]>
Subject: Location of email archives
Date: Fri, 4 Jan 2002 10:15:40 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Hi,
I'm a new user of Netramet and wanted to get up to speed without bugging
the rest of you unnecessarily. However, I can't find the email archives
newer than May 2000. Is there an updated location for them?

Thanks,
Chip Morgan

From netramet-owner Tue Jan 8 02:04:48 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA09334
for netramet-outgoing; Tue, 8 Jan 2002 01:57:59 +1300 (NZDT)
Received: from nscorp.com (gip-8-133.nscorp.com [167.121.8.133] (may be forged))
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA09329
for <[email protected]>; Tue, 8 Jan 2002 01:57:57 +1300 (NZDT)
Received: from svcs44.atldc.nscorp.com (svcs44-dmz [10.4.30.42])
by nscorp.com (8.9.2/8.9.3) with ESMTP id HAA06265
for <[email protected]>; Mon, 7 Jan 2002 07:52:15 -0500 (EST)
Received: from gaatlitexch03s.atldc.nscorp.com ([10.2.246.75])
by svcs44.atldc.nscorp.com (Netscape Messaging Server 4.15) with
ESMTP id GPKK0I00.CT1 for <[email protected]>; Mon, 7 Jan
2002 07:57:54 -0500
Received: by gaatlitexch03s.atldc.nscorp.com with Internet Mail Service (5.5.2653.19)
id <C396SWGG>; Mon, 7 Jan 2002 07:54:41 -0500
Message-ID: <A0FE3C26377C714B9EE7BE3FAACE6CC066D5B8@gaatlitexch06s>
From: "Morgan, Chip E." <[email protected]>
To: "Netramet Mailing List (E-mail)" <[email protected]>
Subject: RE: Location of email archives
Date: Mon, 7 Jan 2002 07:58:28 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Is this mailing list still alive? Is there anybody out there...

-----Original Message-----
From: Morgan, Chip E. [mailto:[email protected]]
Sent: Friday, January 04, 2002 10:16 AM
To: Netramet Mailing List (E-mail)
Subject: Location of email archives

Hi,
I'm a new user of Netramet and wanted to get up to speed without bugging
the rest of you unnecessarily. However, I can't find the email archives
newer than May 2000. Is there an updated location for them?

Thanks,
Chip Morgan

From netramet-owner Tue Jan 8 05:00:07 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA20320
for netramet-outgoing; Tue, 8 Jan 2002 04:58:59 +1300 (NZDT)
Received: from nscorp.com (ns.nscorp.com [167.121.0.56])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA20315
for <[email protected]>; Tue, 8 Jan 2002 04:58:57 +1300 (NZDT)
Received: from svcs44.atldc.nscorp.com (svcs44-dmz [10.4.30.42])
by nscorp.com (8.9.2/8.9.3) with ESMTP id KAA10144
for <[email protected]>; Mon, 7 Jan 2002 10:53:25 -0500 (EST)
Received: from gaatlitexch03s.atldc.nscorp.com ([10.2.246.75])
by svcs44.atldc.nscorp.com (Netscape Messaging Server 4.15) with
ESMTP id GPKSE600.FYW; Mon, 7 Jan 2002 10:58:54 -0500
Received: by gaatlitexch03s.atldc.nscorp.com with Internet Mail Service (5.5.2653.19)
id <C396S7J4>; Mon, 7 Jan 2002 10:55:40 -0500
Message-ID: <A0FE3C26377C714B9EE7BE3FAACE6CC066D5BE@gaatlitexch06s>
From: "Morgan, Chip E." <[email protected]>
To: "'Dave Burgess'" <[email protected]>
Cc: "Netramet Mailing List (E-mail)" <[email protected]>
Subject: How do you use Netramet?
Date: Mon, 7 Jan 2002 10:59:25 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: [email protected]
Precedence: bulk

Dave,
I'm trying to revamp my network traffic data collection, storage, and
display infrastructure. Currently, I use Cisco IP Accounting on a dozen core
routers to collect host to host IP traffic stats, and it's worked well on
data acquistion of core traffic. However, it's cpu intensive on the routers,
network intensive, and cpu intensive on the collection server. Also, I can't
collect local subnet server-server traffic with this paradigm.

Netramet is clearly able to address server-server traffic. I'm close to
having a routine which will accept Netramet data and repackage it into my
current data storage format, so that I can use my existing display tools to
look at it. I want to be able to monitor unix and nt, so I'm eagerly
awaiting the nt port in 4.4 (although I haven't been able to get the 4.4b6
code to work yet).

I intend to replace Cisco IP Accounting with Netflow on the core routers.
I'm very interested in exploring NetFlowMet to repackage this data with
Netramet, so that I can have a unified set of collection routines. I'm also
thinking about using Netflow in a highly summarized fashion further out from
the core to collect traffic stats by dscp for integration into interface
bandwidth graphing (although I may have to ditch this if it's not
practical).

Beyond the data collection, however, I've got a lot of work to do in
revamping my data storage and retrieval scheme. I'm currently storing each
sources' data in separate sets of hourly data files, keeping only those
records which exceed 2500 bits/sec over the 60 second monitor interval. I've
been delaying a move to a sql based database for a while now, mostly because
of my lack of knowledge about that area. It's definitely way overdue.

Anyway, if you have time, I would love to hear how you are using
Netramet. Anybody else on the mailing list is more than welcome to
interject, too.

Thanks,
Chip

Chip Morgan
Sr. Designer
IT Network Systems
Norfolk Southern Corp
Atlanta, GA USA

From netramet-owner Tue Jan 8 09:22:04 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id JAA17961
for netramet-outgoing; Tue, 8 Jan 2002 09:20:39 +1300 (NZDT)
Received: from nscorp.com (ns.nscorp.com [167.121.0.56])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id JAA17943
for <[email protected]>; Tue, 8 Jan 2002 09:20:37 +1300 (NZDT)
Received: from svcs44.atldc.nscorp.com (svcs44-dmz [10.4.30.42])
by nscorp.com (8.9.2/8.9.3) with ESMTP id PAA25366
for <[email protected]>; Mon, 7 Jan 2002 15:15:06 -0500 (EST)
Received: from gaatlitexch03s.atldc.nscorp.com ([10.2.246.75])
by svcs44.atldc.nscorp.com (Netscape Messaging Server 4.15) with
ESMTP id GPL4IB00.1GR; Mon, 7 Jan 2002 15:20:35 -0500
Received: by gaatlitexch03s.atldc.nscorp.com with Internet Mail Service (5.5.2653.19)
id <C396TDMB>; Mon, 7 Jan 2002 15:17:21 -0500
Message-ID: <A0FE3C26377C714B9EE7BE3FAACE6CC066D5C3@gaatlitexch06s>
From: "Morgan, Chip E." <[email protected]>
To: =?iso-8859-1?Q?=27Peter_H=F6lsken=27?= <[email protected]>
Cc: "Netramet Mailing List (E-mail)" <[email protected]>
Subject: RE: NeTraMet List
Date: Mon, 7 Jan 2002 15:21:06 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: [email protected]
Precedence: bulk

Peter,
Glad to hear from you, and thanks for the background info on your
enivronment. I'm curious about the summarization that you are doing in =
your
rules file, as I am still struggling to come up to speed on this stuff. =
Are
you using one of the example rule files or did you write your own? Are =
you
counting 100% of the traffic into a single bucket?

Thanks,
Chip

-----Original Message-----
From: Peter H=F6lsken [mailto:[email protected]]
Sent: Monday, January 07, 2002 2:53 PM
To: [email protected]
Subject: NeTraMet List

I'm still listening to the mailing list, however it seems to be quite =
silent
recently. About year ago I posted some messages and got replies, even =
from
Nevil Brownlee himself. It was a bit more populated back then. The list
archive seems to be broken for a while now.

I'm using NeTraMeT to collect traffic statistics about servers that can =
be
rented by our customers. A mediation device reads in the NeTRaMeT flow =
logs
and writes them into the Oracle database of our billing system. The
mediation device is running some perl script that does the conversion, =
it
was written by a third party, not by me so I don't know the inner =
workings.
After the mediation device was implemented, I generated exact amounts =
of
data of 1, 10 and 50 Gbytes to measure the accuracy. The result was a
maximum deviation of +1.36%. In order to avoid arguments with our =
customers,
we always substract 2% of the measured traffic before billing them.

I'm running NeTraMet on a P3 Compaq Server with 256Mbyte RAM and =
FreeBSD.
The Meter is connected to a fast ethernet switch-port that mirrors the
internet uplink. We'll be switching to a gigabit uplink soon since we =
have
an OC-3 now, which is slightly faster than fast ethernet. Then I'll =
have to
measure the accuracy again.

Maybe I'll switch to Linux also, because the other employees here don't =
know
that much about BSD. I initially went with BSD because the libpcap
implementation was said to be quite inefficient under Linux. Hopefully =
this
has been resolved in the newer versions.

Best regards,

Peter Hoelsken

From netramet-owner Tue Jan 8 12:07:20 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA25718
for netramet-outgoing; Tue, 8 Jan 2002 12:06:28 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA25695
for <[email protected]>; Tue, 8 Jan 2002 12:06:24 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Mon, 7 Jan 2002 17:02:11 -0800 (PST)
From: [email protected]
Subject: Fwd: fd_extract format file question.
To: [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

Date: Tue, 08 Jan 2002 10:39:34 +1300
From: Admin <[email protected]>
Subject: fd_extract format file question.

Hello,

I have installed NeTraMet on a small network consisting of five class
"C" address ranges for accounting purposes. I have used fd_filter to
process the flow file produced by NeTraMet and tag the IP's that I want
an aggregate of the To/FromOctets from. However when I parse it with
fd_extract I am not getting the expected results.

Could somebody assist me with an example of what the format file for
fd_extract would look like for this function please.

Regards,

David.

From netramet-owner Thu Jan 10 17:53:11 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id RAA11855
for netramet-outgoing; Thu, 10 Jan 2002 17:48:56 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id RAA11845
for <[email protected]>; Thu, 10 Jan 2002 17:48:52 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Wed, 9 Jan 2002 22:44:37 -0800 (PST)
From: [email protected]
Subject: Fwd: PAM2002 Registration Opens
To: [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

------ Forwarded message ------
Subject: PAM2002 Registration Opens
Date: Wed, 9 Jan 2002 17:07:46 -0800

[Our apologies if you receive multiple copies of this announcement.]

Passive & Active Measurement: PAM 2002

REGISTRATION OPENS

A workshop on passive and active measurement and analysis techniques
for high speed computer networks and the Internet

Fort Collins, Colorado, USA
March 25-26, 2002

As the Internet has grown over the last decade the need for precise
measurement of the network and its traffic load have become steadily
more apparent; most of today's Internet Service Providers and many of
their large network customers are collecting and analyzing measurement
data for the purposes of performance monitoring, network engineering
and cost recovery, but the engineering quality of these measurements
vary.

A steadily growing number of research groups have been working in the
areas of:

- Active Measurements, i.e. sending test packets and observing their
progress through the Internet,
- Passive Measurements, i.e. observing actual traffic on 'live' networks,
- Performance Metrics, i.e. developing measures or indicators which can
be used to characterize traffic behavior,
- Traffic Statistics, i.e. attempting to understand and develop models
of 'real' Internet traffic, and
- Visualization, i.e. finding effective ways to display what's happening
in a network.

PAM 2002 is a two-day event focusing on research and practical
applications of passive and active measurement and analysis techniques
for high speed computer networks and the Internet. This third PAM
workshop follows successful PAM workshops in Hamilton, New Zealand,
in 2000 and Amsterdam, in 2001.

Registration for this workshop has now been opened. The cost of the
workshop is $275 (US) prior to March 1, and $300 (US) thereafter.
Attendance will be limited. Last year's event sold out. To register,
go to:

http://www.labs.agilent.com/hosted/conferences/pam2002/registration/

Also available on the web-site are the preliminary program:

http://www.labs.agilent.com/hosted/conferences/pam2002/program/index.htm

general information on the workshop:

http://www.labs.agilent.com/pam2002

hotel information:

http://www.labs.agilent.com/hosted/conferences/pam2002/accommodations/index.
htm

and information about the Fort Collins area:

http://www.labs.agilent.com/hosted/conferences/pam2002/area_info/

Rooms are available at the conference hotel. A limited number of rooms
are available at a special rate, on a first-come basis. These rooms begin
at $81 (US) for a single, $91 (US) for a double. Mention "PAM 2002" to
receive the conference room rate. To reserve a room, call, fax or email
the hotel. Contact details can be found on the web page.

There are still opportunities for participants to present measurement
equipment and software. Proposals for demonstrations (about 500 words,
plain ASCII) should be sent by email to the conference chair at
[email protected] by 4 February 2002.

Contact information:

* PAM 2002
c/o Agilent Laboratories
4800 Wheaton Dr
Fort Collins, CO 80525
USA
* Phone: +1-970-288-3821
* Fax: +1-970-288-4234
* Email: [email protected]
* Webpage: http://www.labs.agilent.com/pam2002

From netramet-owner Sat Jan 12 03:05:49 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA04881
for netramet-outgoing; Sat, 12 Jan 2002 03:01:22 +1300 (NZDT)
From: netramet-owner
Received: from mail.kfwapb.com (crtntx1-ar1-078-170.crtntx1.dsl.gtei.net [4.33.78.170])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA04865;
Sat, 12 Jan 2002 03:01:11 +1300 (NZDT)
Received: from QRJATYDI (SERVER02 [210.12.3.50]) by mail.kfwapb.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id X5BQAWM6; Fri, 11 Jan 2002 07:37:15 -0600
Subject: Are you healthy and wealthy? You are lucky!
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Date: Fri, 11 Jan 2002 12:45:58 +-0800
Message-ID: <43133786@fxeui>
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Sender: [email protected]
Precedence: bulk

Are you healthy and wealthy? You are lucky! Sick children who are considered to be
incurable live near you. They parents refused of them and nobody can help them except
you.Nowadays contemporary medicine can completely treat them, but it requires money, a
lot of money. Together we can help them.
Universal Children Relive Fund (UCRF) asks you to provide an adequate material
assistance. We will be appreciating for any of your donation from private person or
from organization. Remember, transferring money you are saving thousands of children
life's. Please, help us and you will find a lot of young friends, who became happy thanks to you.
Don't delay your assistance; don't think that it can be done without you. Regardless
of the contribution size your name or the name of your organization will be forever written
down in our Helping Book. Show your name or name of your organization in details of payment
of your transfer.

Details for transfers (in USD):
Beneficiary: UCRF, acc.# 456845-4520009499
Beneficiary's Bank: LATEKO BANK,Riga,Latvia,SWIFT: LATB LV 22
Beneficiary's Bank account: 04-097-495
Intermediary Bank: BANKERS TRUST COMPANY,New York,USA,SWIFT: BKTRUS 33
Details of Payment: your name or name of your organization

From netramet-owner Sat Jan 19 08:47:10 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA06797
for netramet-outgoing; Sat, 19 Jan 2002 08:41:47 +1300 (NZDT)
Received: from smtp.prodigy.net.mx (dfproxy01.prodigy.net.mx [148.235.168.56] (may be forged))
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA06789;
Sat, 19 Jan 2002 08:41:43 +1300 (NZDT)
Received: from sandy (du-200-64-170-196.prodigy.net.mx [200.64.170.196])
by SMTP.Prodigy.Net.mx (Sun Internet Mail Server sims.4.0.2001.07.26.11.50.p9)
with SMTP id <[email protected]>; Fri,
18 Jan 2002 13:35:26 -0600 (CST)
Date: Fri, 18 Jan 2002 13:42:08 -0600
From: Sandra Salas <[email protected]>
Subject: question about srl
To: [email protected], [email protected]
Reply-to: Sandra Salas <[email protected]>
Message-id: <002901c1a058$386390e0$c4aa40c8@sandy>
Organization: QoS Labs
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Content-type: text/plain; charset="iso-8859-1"
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
References: <[email protected]>
Sender: [email protected]
Precedence: bulk

Hi,

I have 4 sites, mi local site is network A and my remote sites are
network B, network C, network D
I will like to know the traffic between those points, but I want to classify
the traffic by
ports ( telnet, snmp, www, etc) AND by network.

(I have netflow in the router, and I am using netflowmet, in network A).

A <---> B
A <---> C
A <---> D

I did the configuration below, but with this kind of configuration, only I
can classify
specific ports, is there a option I can used for any port?

something like : if SourceTransAddress <= 1024 ( I know that this operator
does not exist) instead of
if SourceTransAddress == ( domain, ftp, ftpdata, gopher, nntp, ntp, smtp,
snmp, telnet, www,
79, 110, 143, 513, 515,137, 138, 139) ???

Thanks in advance

Define red = ( 10.1.1.0/24,10.1.2.0/24,172.20.16.0/24,172.20.20.0/24);
# IP traffic only
if SourcePeerType == dummy ignore;
else if SourcePeerType == IP save;
else ignore;

set 4;

if ( DestPeerAddress == red && SourcePeerAddress == red && DestTransType
== 6 && SourceTransAddress == 0/0
) save;
if ( DestPeerAddress == red && SourcePeerAddress == red && DestTransType
== 17 && SourceTransAddress == 0/
0) save;
if ( DestPeerAddress == red && SourcePeerAddress == red &&
SourceTransType == 6 && DestTransAddress == 0/0
) save;
if ( DestPeerAddress == red && SourcePeerAddress == red &&
SourceTransType == 17 && DestTransAddress == 0/
0) save;
if (SourceTransType == (tcp, udp) ) save,

if SourceTransAddress == ( domain, ftp, ftpdata, gopher, nntp, ntp,
smtp, snmp, telnet, www,
79, 110, 1080, 8080 ) save;
if DestTransAddress == (137, 138, 139) save;
else if DestTransAddress == (ftp, ftpdata) save;
else if DestTransAddress == smtp save;
else if DestTransAddress == snmp save;
else if DestTransAddress == (22, telnet) save;
}
else
{ # Not tcp or udp
save SourceTransType;
}

save sourceinterface;
save destinterface;
count;

FORMAT FlowRuleSet FlowIndex FirstTime LastTime " "
SourceKind DestKind FlowKind " "
SourcePeerType SourcePeerAddress SourcePeerMask DestPeerAddress
DestPeerMask" "
SourceTransType DestTransType " "
SourceTransAddress SourceTransMask DestTransAddress DestTransMask "
"
ToPDUs FromPDUs " " ToOctets FromOctets sourceinterface
destinterface;

From netramet-owner Mon Jan 21 06:02:36 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA24918
for netramet-outgoing; Mon, 21 Jan 2002 05:57:07 +1300 (NZDT)
From: netramet-owner
Received: from belinfo.com ([160.79.25.18])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA24913
for <[email protected]>; Mon, 21 Jan 2002 05:57:04 +1300 (NZDT)
Received: from QRJATYDI (213-96-132-242.uc.nombres.ttd.es [213.96.132.242])
by belinfo.com (8.11.3/8.11.3) with SMTP id g0KGsqw53401;
Sun, 20 Jan 2002 11:54:54 -0500 (EST)
(envelope-from [email protected])
Message-Id: <[email protected]>
To: [email protected]
Subject: ��
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Outlook Express
Date: Sun, 20 Jan 2002 16:1:59 +0300
Mime-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Sender: [email protected]
Precedence: bulk

�� :

* 2.950 �� - � �� 59 ��
(�� - 1.500.000 ��.)
* �� CD-�� "�� . ��-��" (�� 1000 �� 185 �� ). �� - 600 ��.

�� :
�� (095) 956-1872
�.-�� (812) 321-8842
�� (3432)78-55-45

�� mailto:[email protected]&subject=ZAPROS

_____________________________________

�� E-Market Research Inc. (Seattle, US) � �� .4 ��.29 �� . �� (�� ) � �� . � �� , �� mailto:[email protected]&subject=REMOVE (�� e-mail �� ). �� ./�� +1 (360) 351-6818.

From netramet-owner Wed Jan 23 01:23:50 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA15016
for netramet-outgoing; Wed, 23 Jan 2002 01:17:30 +1300 (NZDT)
Received: from virgo.cus.cam.ac.uk ([email protected] [131.111.8.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA15010;
Wed, 23 Jan 2002 01:17:26 +1300 (NZDT)
Received: from ajms (helo=virgo.cus.cam.ac.uk)
by virgo.cus.cam.ac.uk with local-esmtp (Exim 3.952 #2)
id 16Szrf-0000Rm-00; Tue, 22 Jan 2002 12:17:23 +0000
To: Sandra Salas <[email protected]>
cc: [email protected], [email protected]
Subject: Re: question about srl
In-reply-to: Your message of "Fri, 18 Jan 2002 13:42:08 CST."
<002901c1a058$386390e0$c4aa40c8@sandy>
From: "Tony Stoneley" <[email protected]>
Date: Tue, 22 Jan 2002 12:17:23 +0000
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

The absence of other replies makes me nervous, but...

>something like : if SourceTransAddress <= 1024 ( I know that this operator
>does not exist) instead of
>if SourceTransAddress == ( domain, ftp, ftpdata, gopher, nntp, ntp, smtp,
>snmp, telnet, www,
>79, 110, 143, 513, 515,137, 138, 139) ???

Think of port numbers as bit patterns, not numbers. 1024 is of course
a power of two, and srl and the underlying pattern matching engine are
good at masking and comparing bit patterns, even though they don't
really grok arithmetic. I have in mind something like -

if SourceTransAddress == 0&FC-00 # mask port with fc00 and compare with 0
; # unpriv port - no action
# (or possibly something like "save SourceTransAddress=FF-FF;")
else save SourceTransAddress; # privileged port - note which

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Thu Jan 24 23:06:24 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA09508
for netramet-outgoing; Thu, 24 Jan 2002 22:59:45 +1300 (NZDT)
Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.1.28])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA09500
for <[email protected]>; Thu, 24 Jan 2002 22:59:42 +1300 (NZDT)
Received: from ksat13 (ksat13.rus.uni-stuttgart.de [129.69.13.25])
by artemis.rus.uni-stuttgart.de with SMTP id KAA22279
for <[email protected]>; Thu, 24 Jan 2002 10:59:39 +0100 (MET)
env-from ([email protected])
From: "Juergen Jaehnert" <[email protected]>
To: <[email protected]>
Subject: NeMaC IPv6 Question
Date: Thu, 24 Jan 2002 11:03:55 +0100
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <[email protected]>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: [email protected]
Precedence: bulk

Dear Nevil,
dear all,

we at Supercomputing Center of the University of Stuttgart have set up a
IPv6 environment based on Linux. Each machine has both, an IPv4 and an IPv6
address.

When using the command NeMac -c... -r ... <hostname> for reading data from
the Meter
and if <hostname> is an IP v4 address we can read also IPv6 traffic and all
seem to work quite fine.

But if we use for < hostname> the IPv6 address, we get an error "can't open
SMTP port"; looking into the "log"-file, we get the error message: "can not
reach host".

Is there a possibility to use directly IPv6 addresses in NeMaC ?

Thank you

regards

juergen

Juergen Jaehnert
Communication Systems &
Belwue Development Tel: ++49 711 685 4273
National Supercomputing Center Fax: ++49 711 678 8363
University of Stuttgart e-mail: [email protected]

From netramet-owner Fri Jan 25 11:40:14 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id LAA28732
for netramet-outgoing; Fri, 25 Jan 2002 11:37:03 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id LAA28719
for <[email protected]>; Fri, 25 Jan 2002 11:37:02 +1300 (NZDT)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id OAA24764;
Thu, 24 Jan 2002 14:36:50 -0800 (PST)
Date: Thu, 24 Jan 2002 14:36:50 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Juergen Jaehnert <[email protected]>
cc: [email protected]
Subject: Re: NeMaC IPv6 Question
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hi Juergen:

Oh oh, I've never had a v6 environment to test in (sorry about
that!) NeMaC just takes the <hostname> argument off the command line
and passes it to NeTraMet's SNMP routines. Those were derived from
the original CMU snmp, so of course they're full of the assumption that
IP addresses are 4 bytes long.

To change this will require making a new version of NeTraMet/Nemac/etc
which uses a more modern SNMP package - that seems a better idea than
just modifying the existing one. At the same time it would be a good
idea to move to SNMPv3. This would make a good project for an Engineering
student - anyone interested in actually doing it ??? :-)

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

On Thu, 24 Jan 2002, Juergen Jaehnert wrote:

>
> Dear Nevil,
> dear all,
>
> we at Supercomputing Center of the University of Stuttgart have set up a
> IPv6 environment based on Linux. Each machine has both, an IPv4 and an IPv6
> address.
>
> When using the command NeMac -c... -r ... <hostname> for reading data from
> the Meter
> and if <hostname> is an IP v4 address we can read also IPv6 traffic and all
> seem to work quite fine.
>
> But if we use for < hostname> the IPv6 address, we get an error "can't open
> SMTP port"; looking into the "log"-file, we get the error message: "can not
> reach host".
>
> Is there a possibility to use directly IPv6 addresses in NeMaC ?
>
>
> Thank you
>
>
> regards
>
> juergen
>
> Juergen Jaehnert
> Communication Systems &
> Belwue Development Tel: ++49 711 685 4273
> National Supercomputing Center Fax: ++49 711 678 8363
> University of Stuttgart e-mail: [email protected]
>
>

From netramet-owner Fri Jan 25 12:05:47 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA07064
for netramet-outgoing; Fri, 25 Jan 2002 12:03:54 +1300 (NZDT)
Received: from caida.org (ipn.caida.org [192.172.226.30])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA07049
for <[email protected]>; Fri, 25 Jan 2002 12:03:52 +1300 (NZDT)
Received: from localhost (nevil@localhost)
by caida.org (8.9.3+Sun/8.9.1) with ESMTP id PAA24940;
Thu, 24 Jan 2002 15:03:48 -0800 (PST)
Date: Thu, 24 Jan 2002 15:03:48 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Juergen Jaehnert <[email protected]>
cc: [email protected]
Subject: Re: NeMaC IPv6 Question
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello again Juergen:

One further thought on this: although NeMaC only communicates with
NeTraMet meters via the SNMP package, the meter code which opens
the SNMP port is coded assuming v4 addresses. There wouldn't be
very much work to modify the code in the receive() function of
meter_ux.c to do this; it needs to be done in addition to moving
to a better SNMP package.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego