From netramet-owner Fri Feb 1 12:20:47 2002

From netramet-owner Fri Feb 1 12:20:47 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA27287
for netramet-outgoing; Fri, 1 Feb 2002 12:15:42 +1300 (NZDT)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA27205
for <[email protected]>; Fri, 1 Feb 2002 12:15:26 +1300 (NZDT)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id PAA29746;
Thu, 31 Jan 2002 15:15:16 -0800 (PST)
Message-ID: <[email protected]>
Date: Thu, 31 Jan 2002 15:15:22 -0800
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: NeTraMet <[email protected]>
CC: Ken Keys <[email protected]>
Subject: NeTraMet44b11 & CoralReef problem
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi,
I've been trying to capture traffic with NeTraMet (44b11) over the
CoralReef software
distribution (3.5.1-public).
Applications like crl_flow show few IP packets, because that link is
almost idle, but still go through.
when I run NeTraMet here is what I got:

[root@nren-mon5 meter]# ./crl_ntm -m 9988 -C "iomode=phy=ATM,bw=OC12c"
-Cv=8 -r xxxx -w xxxx -S /dev/dag0

NeTraMet: CoralReef Meter 4.4b11
coral_open: /dev/dag0: fd 4
coral (/dev/dag0): mmap 32 blocks of 1048576 bytes = 33554432 bytes
coral offset: /dev/dag0: (nil) mmap: 0x410ef000
coral_dag_init: /dev/dag0 is configured for OC12c (599040 Kbps) ATM
1502:43 1 coral interfaces opened
coral_start: starting /dev/dag0
Running on nren-mon5.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
-----------------------------------------------------------------------------

coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
1502:53 init_live_sources(): couldn't get data from interface(s)
1502:53 Shutting down
coral_stop /dev/dag0
coral_close /dev/dag0
[root@nren-mon5 meter]#

my question is, is this happening because I don't have enough traffic?
as for now it would be hard
for me to generate traffic on that link, but if that's turn out to be
the reason I can work that out with network engineers.
I understand that DAG devices return their data to CoralReef in blocks
of 16384 ATM
cells. Normally, they do not return any data until a block fills up. Is
it why I can't proceed with my data collection (error message) ?
Thank you, any help is appreciated.

Jerry.

From netramet-owner Fri Feb 1 15:29:24 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id PAA24429
for netramet-outgoing; Fri, 1 Feb 2002 15:28:25 +1300 (NZDT)
Received: from hafnium.mcis.singnet.com.sg (hafnium.singnet.com.sg [165.21.74.90])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id PAA24360
for <[email protected]>; Fri, 1 Feb 2002 15:28:15 +1300 (NZDT)
Received: from mail pickup service by hafnium.mcis.singnet.com.sg with Microsoft SMTPSVC;
Fri, 1 Feb 2002 10:17:52 +0800
Received: from mx12.singnet.com.sg ([165.21.74.122]) by hafnium.mcis.singnet.com.sg with Microsoft SMTPSVC(5.5.1877.687.68);
Fri, 1 Feb 2002 07:23:34 +0800
Received: from mailhost.auckland.ac.nz (mailhost.auckland.ac.nz [130.216.191.4])
by mx12.singnet.com.sg (8.12.2/8.12.2) with ESMTP id g0VNNTvF000426;
Fri, 1 Feb 2002 07:23:30 +0800
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id MAA27287
for netramet-outgoing; Fri, 1 Feb 2002 12:15:42 +1300 (NZDT)
Received: from mail.arc.nasa.gov (pony1.arc.nasa.gov [143.232.48.201])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id MAA27205
for <[email protected]>; Fri, 1 Feb 2002 12:15:26 +1300 (NZDT)
Received: from arc.nasa.gov (jtoung.arc.nasa.gov [128.102.196.181])
by mail.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id PAA29746;
Thu, 31 Jan 2002 15:15:16 -0800 (PST)
Message-ID: <[email protected]>
Date: Thu, 31 Jan 2002 15:15:22 -0800
From: Jerry Toung <[email protected]>
Reply-To: [email protected]
X-Mailer: Mozilla 4.7 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: NeTraMet <[email protected]>
CC: Ken Keys <[email protected]>
Subject: NeTraMet44b11 & CoralReef problem
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi,
I've been trying to capture traffic with NeTraMet (44b11) over the
CoralReef software
distribution (3.5.1-public).
Applications like crl_flow show few IP packets, because that link is
almost idle, but still go through.
when I run NeTraMet here is what I got:

[root@nren-mon5 meter]# ./crl_ntm -m 9988 -C "iomode=phy=ATM,bw=OC12c"
-Cv=8 -r xxxx -w xxxx -S /dev/dag0

NeTraMet: CoralReef Meter 4.4b11
coral_open: /dev/dag0: fd 4
coral (/dev/dag0): mmap 32 blocks of 1048576 bytes = 33554432 bytes
coral offset: /dev/dag0: (nil) mmap: 0x410ef000
coral_dag_init: /dev/dag0 is configured for OC12c (599040 Kbps) ATM
1502:43 1 coral interfaces opened
coral_start: starting /dev/dag0
Running on nren-mon5.nren.nasa.gov, interface(s) /dev/dag0 (DAG card)
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
-----------------------------------------------------------------------------

coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
coral: dag_nextblk NEXTBLK: Resource temporarily unavailable
1502:53 init_live_sources(): couldn't get data from interface(s)
1502:53 Shutting down
coral_stop /dev/dag0
coral_close /dev/dag0
[root@nren-mon5 meter]#

my question is, is this happening because I don't have enough traffic?
as for now it would be hard
for me to generate traffic on that link, but if that's turn out to be
the reason I can work that out with network engineers.
I understand that DAG devices return their data to CoralReef in blocks
of 16384 ATM
cells. Normally, they do not return any data until a block fills up. Is
it why I can't proceed with my data collection (error message) ?
Thank you, any help is appreciated.

Jerry.

From netramet-owner Tue Feb 5 22:06:31 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA03476
for netramet-outgoing; Tue, 5 Feb 2002 22:00:21 +1300 (NZDT)
Received: from mout03.kundenserver.de (mout03.kundenserver.de [195.20.224.218])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA03471
for <[email protected]>; Tue, 5 Feb 2002 22:00:19 +1300 (NZDT)
From: [email protected]
Received: from [195.20.224.196] (helo=mxbulk00.kundenserver.de)
by mout03.kundenserver.de with esmtp (Exim 2.12 #2)
id 16Y1SX-0000LC-00
for [email protected]; Tue, 5 Feb 2002 10:00:13 +0100
Received: from [172.23.4.132] (helo=config5.kundenserver.de)
by mxbulk00.kundenserver.de with esmtp (Exim 3.22 #2)
id 16Y1SU-0004Qw-00
for [email protected]; Tue, 05 Feb 2002 10:00:10 +0100
Received: from www-data by config5.kundenserver.de with local (Exim 3.12 #1 (Debian))
id 16Y1SU-0006Bz-00
for <[email protected]>; Tue, 05 Feb 2002 10:00:10 +0100
To: [email protected]
Subject: Strange Rule File ?
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-Originating-From: 6198928
X-Binford: 6100 (more power)
Message-Id: <[email protected]>
Date: Tue, 05 Feb 2002 10:00:10 +0100
Sender: [email protected]
Precedence: bulk

Hello everybody,

I am pretty new to NeTraMet and I'm using it for a universitary project
of my computer science study. The sole task I want to do, is the
tracing of the traffic/flows created by a specified IP-Address. For that
I wrote a rule-file , but it doesn't work as expected. Here it comes:

IF SourcePeerAddress == 192.168.218.71 & 255.255.255.255 {
SAVE SourcePeerAddress/32 ;
SAVE DestPeerAddress/32;
COUNT;
}
SET 3;
FORMAT SourcePeerAddress DestPeerAddress ;

The SRL compiler doesn't find any error, but after uploading it on the
meter, now flow with the given SourcePeerAddress is recorded although I
am generating such kind of flows "manually".

Can anybody tell me, what's wrong with this rule-file ? I would be happy
about any tip .

Thank you in advance

Valentin

From netramet-owner Sat Feb 9 23:34:10 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id XAA08949
for netramet-outgoing; Sat, 9 Feb 2002 23:26:56 +1300 (NZDT)
Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id XAA08943
for <[email protected]>; Sat, 9 Feb 2002 23:26:53 +1300 (NZDT)
Received: from [172.19.20.61] (helo=mrvdomng0.kundenserver.de)
by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #2)
id 16ZUiU-0002bp-00
for [email protected]; Sat, 9 Feb 2002 11:26:46 +0100
Received: from [62.155.144.95] (helo=compaqdesk)
by mrvdomng0.kundenserver.de with smtp (Exim 3.22 #2)
id 16ZUiT-0000nt-00
for [email protected]; Sat, 09 Feb 2002 11:26:45 +0100
Message-ID: <001401c1b154$39e717e0$2800a8c0@compaqdesk>
Reply-To: "livethe.net Admin" <[email protected]>
From: "livethe.net Admin" <[email protected]>
To: <[email protected]>
Subject: NeMaC with config-file
Date: Sat, 9 Feb 2002 11:26:23 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0011_01C1B15C.9AC95D40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Sender: [email protected]
Precedence: bulk

This is a multi-part message in MIME format.

------=_NextPart_000_0011_01C1B15C.9AC95D40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello everybody,

I'm trying to start NeMaC with a configuration file, that means my =
command looks like that:

# NeMaC -f config-file

I saw that NeMaC accepts the config-file just if is located in the same =
directory as NeMaC itself. Is this really so ? Is any =
configuration-option given, to change the HOME-direcotry of the =
config-file ?=20
Can I specifiy in the config-file where the flow files should be written =
?

Any tip is welcome, thank you in advance,

Valentin

------=_NextPart_000_0011_01C1B15C.9AC95D40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello everybody,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I'm trying to start NeMaC with a =
configuration=20
file, that means my command looks like that:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#   NeMaC -f =
config-file</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I saw that NeMaC accepts the =
config-file just if is=20
located in the same directory as NeMaC itself. Is this really so ? Is =
any=20
configuration-option given, to change the HOME-direcotry of the =
config-file ?=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Can I specifiy in the config-file where =
the flow=20
files should be written ?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Any tip is welcome, thank you in=20
advance,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Valentin</FONT></DIV></BODY></HTML>

------=_NextPart_000_0011_01C1B15C.9AC95D40--

From netramet-owner Wed Feb 13 04:55:22 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA14550
for netramet-outgoing; Wed, 13 Feb 2002 04:49:01 +1300 (NZDT)
Received: from hawk.ruscomnet.ru (hawk.ruscomnet.ru [80.249.129.3])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA14533
for <[email protected]>; Wed, 13 Feb 2002 04:48:57 +1300 (NZDT)
Received: from churla.prima.ltd (churla.prima-tlf.ru [80.249.130.66] (may be forged))
by hawk.ruscomnet.ru (8.11.6/8.11.6) with ESMTP id g1CFmhW91697
for <[email protected]>; Tue, 12 Feb 2002 18:48:48 +0300 (MSK)
(envelope-from [email protected])
Received: from kirilliumnt (kirillium-nt.prima.ltd [172.17.10.4])
by churla.prima.ltd (8.11.5/8.11.5) with SMTP id g1CFmpA09457
for <[email protected]>; Tue, 12 Feb 2002 18:48:52 +0300
From: "Kirill-Prima" <[email protected]>
To: <[email protected]>
Subject: Why Firsttime changes? (may by fd_filter bug)
Date: Tue, 12 Feb 2002 18:51:30 +0300
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
Sender: [email protected]
Precedence: bulk

Hi!

I use NetFlowMet (4.3). Everything works quite well during several months,
but one sad thing happens: when FirstTime attribute changes, fd_filter
counts traffic
for this flow as for new flow - with very abnormal results.
For example, part of my flow data file:

##NeTraMet v4.3: -c3600 -r
/home/netstat/flow-manage/etc/mci_networks2.rules 192.168.255.10 udp-9996
100000 flows starting at 06:56:00 Tue 12 Feb 2002
#Format: flowruleset flowindex firsttime sourceinterface destinterface
tooctets fromoctets topdus frompdus sourceclass destclass

...

#Time: 10:00:00 Tue 12 Feb 2002 192.168.255.10 Flows from 40212161 to
40572091
#Stats: aps=2185 apb=0 mps=77378 mpb=0 lsp=0 avi=99.9 mni=97.5 fiu=50 frc=0
gci=600 rpp=1.0 tpp=0.1 cpt=1.6 tts=65521 tsu=29
17 7778 25906044 20 19 1017894424 179100698 1761741 1214119 3 17
17 7779 25906046 20 19 1665378401 7804916518 7166951 10874903 3 12
17 7780 25906142 20 19 908010158 513692156 1821407 2236899 3 10
#EndData: 192.168.255.10
#Time: 11:00:00 Tue 12 Feb 2002 192.168.255.10 Flows from 40572090 to
40932120
#Stats: aps=2297 apb=0 mps=49330 mpb=0 lsp=0 avi=99.8 mni=97.0 fiu=54 frc=0
gci=600 rpp=1.2 tpp=0.2 cpt=1.5 tts=65521 tsu=31
17 7778 25906044 20 19 1233981737 249014452 2165270 1604778 3 17
17 7779 25906046 20 19 2166941286 9493883094 8955664 13657311 3 12
17 7780 25906142 20 19 1213261036 676568280 2327789 2825369 3 10
#EndData: 192.168.255.10
#Time: 12:00:00 Tue 12 Feb 2002 192.168.255.10 Flows from 40932119 to
41292149
#Stats: aps=2284 apb=0 mps=73859 mpb=0 lsp=0 avi=99.8 mni=97.0 fiu=57 frc=0
gci=600 rpp=1.4 tpp=0.2 cpt=1.5 tts=65521 tsu=33
17 7778 25906007 20 19 1486826092 335655276 2612806 2047562 3 17
17 7779 25906011 20 19 2746067211 11002514111 10695850 16455555 3 12
17 7780 25906027 20 19 1542899061 839809715 2856036 3445987 3 10

At 12:00 firsttime attribute changed (why?) and fd_filter counts not a
difference (2746067211 - 2166941286),
but treats this as new flow with count 2746067211.. Please, help, is there
any solution?

Regards,
Kirill.

From netramet-owner Fri Feb 22 10:36:57 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id KAA27353
for netramet-outgoing; Fri, 22 Feb 2002 10:07:44 +1300 (NZDT)
Received: from jlonline.com ([61.155.13.245])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id KAA27347
for <[email protected]>; Fri, 22 Feb 2002 10:07:41 +1300 (NZDT)
From: [email protected]
Received: from jlonline.com([10.1.0.5]) by js.cn(JetMail 2.9.5.0)
with SMTP id jm343c756608; Thu, 21 Feb 2002 21:00:19 -0000
Received: from mailhost.auckland.ac.nz([130.216.191.4]) by js.cn(AIMC 2.9.5.2)
with SMTP id jm93c5fce43; Tue, 05 Feb 2002 18:59:00 +0800
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA03476
for netramet-outgoing; Tue, 5 Feb 2002 22:00:21 +1300 (NZDT)
Received: from mout03.kundenserver.de (mout03.kundenserver.de [195.20.224.218])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA03471
for <[email protected]>; Tue, 5 Feb 2002 22:00:19 +1300 (NZDT)
Received: from [195.20.224.196] (helo=mxbulk00.kundenserver.de)
by mout03.kundenserver.de with esmtp (Exim 2.12 #2)
id 16Y1SX-0000LC-00
for [email protected]; Tue, 5 Feb 2002 10:00:13 +0100
Received: from [172.23.4.132] (helo=config5.kundenserver.de)
by mxbulk00.kundenserver.de with esmtp (Exim 3.22 #2)
id 16Y1SU-0004Qw-00
for [email protected]; Tue, 05 Feb 2002 10:00:10 +0100
Received: from www-data by config5.kundenserver.de with local (Exim 3.12 #1 (Debian))
id 16Y1SU-0006Bz-00
for <[email protected]>; Tue, 05 Feb 2002 10:00:10 +0100
To: [email protected]
Subject: Strange Rule File ?
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-Originating-From: 6198928
X-Binford: 6100 (more power)
Message-Id: <[email protected]>
Date: Tue, 05 Feb 2002 10:00:10 +0100
Sender: [email protected]
Precedence: bulk

Hello everybody,

I am pretty new to NeTraMet and I'm using it for a universitary project
of my computer science study. The sole task I want to do, is the
tracing of the traffic/flows created by a specified IP-Address. For that
I wrote a rule-file , but it doesn't work as expected. Here it comes:

IF SourcePeerAddress == 192.168.218.71 & 255.255.255.255 {
SAVE SourcePeerAddress/32 ;
SAVE DestPeerAddress/32;
COUNT;
}
SET 3;
FORMAT SourcePeerAddress DestPeerAddress ;

The SRL compiler doesn't find any error, but after uploading it on the
meter, now flow with the given SourcePeerAddress is recorded although I
am generating such kind of flows "manually".

Can anybody tell me, what's wrong with this rule-file ? I would be happy
about any tip .

Thank you in advance

Valentin

From netramet-owner Fri Feb 22 22:19:36 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA29864
for netramet-outgoing; Fri, 22 Feb 2002 22:17:19 +1300 (NZDT)
Received: from rasips1.rasip.fer.hr ([email protected] [161.53.67.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA29857
for <[email protected]>; Fri, 22 Feb 2002 22:17:14 +1300 (NZDT)
Received: from there (nidhogg.rasip.fer.hr [161.53.67.126])
by rasips1.rasip.fer.hr (8.8.8/8.8.8) with SMTP id KAA25563;
Fri, 22 Feb 2002 10:15:22 +0100 (MET)
Message-Id: <[email protected]>
Content-Type: text/plain;
charset="iso-8859-15"
From: Marin Orlic <[email protected]>
Organization: FER
To: <[email protected]>
Subject: NeMaC (srl) limitations, NeTraMet -l switch
Date: Fri, 22 Feb 2002 10:18:54 +0100
X-Mailer: KMail [version 1.3.1]
Cc: [email protected]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

Hi all,

as far as I know, the maximum length of command-line parameter for NeMaC is
64 chars, this causes a problem with IPmeter (www.ipmeter.com) using NeMaC
because the path of NeMaC configuration file is sometimes longer than that.
How complicated is to enlarge that buffer (just one #define somewhere or
something more?)...

I had a particularly stupid written SRL file which then compiles into rule
file with more than 656 symbols, so I've changed the hash table size #defines
in srl.h for srl and corresponding entries for NeMaC (nmc_something files)...
What effect do this settings have on meters (as far as I know, maximum number
of rules per meter is 2000, but there's no note on number of symbols). Any
comments.

What does '-l' switch on NeTraMet actually do? In docs it says it tells
NeTraMet to take packet length from IP headers. What happens if the switch is
used and what if it isn't used - I've started two sets of meters/collectors,
one with -l other without, applied the same ruleset and the results were the
same (as long as NeMaCs stayed in sync - I couldnt've used just one NeMaC, so
after a while collection times for NeMaCs were 1 second apart and the results
stopped matching..). Has anyone had any experience with this?

Thank you...

Bye, M.

From netramet-owner Fri Feb 22 22:59:46 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id WAA03276
for netramet-outgoing; Fri, 22 Feb 2002 22:59:01 +1300 (NZDT)
Received: from rasips1.rasip.fer.hr ([email protected] [161.53.67.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id WAA03255
for <[email protected]>; Fri, 22 Feb 2002 22:58:51 +1300 (NZDT)
Received: from there (nidhogg.rasip.fer.hr [161.53.67.126])
by rasips1.rasip.fer.hr (8.8.8/8.8.8) with SMTP id KAA25734
for <[email protected]>; Fri, 22 Feb 2002 10:56:51 +0100 (MET)
Message-Id: <[email protected]>
Content-Type: text/plain;
charset="iso-8859-15"
From: Marin Orlic <[email protected]>
Organization: FER
To: [email protected]
Subject: How to write a SRL file?
Date: Fri, 22 Feb 2002 11:00:21 +0100
X-Mailer: KMail [version 1.3.1]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

Hi all,

I need to create a meter system that will account traffic based on:

- Source IP
- Dest IP
- Source Port (Source Trans Address)
- Dest Port (Dest Trans Address)
- Bytes sent
- Bytes recvd
- QoS (if possible)

If I write a ruleset that will filter by IP addresses and ignore the ports
(all for let's say TCP, IP, UDP), it becomes too large.. Is there a way to
write a simple ruleset that will account for all those attributes without any
filtering?

Something like

if SourcePeerType == IP save;
else ignore;

set 5;

save SourcePeerAddress;
save DestPeerAddress;
save SourceTransAddress;
save DestTransAddress;
save SourceTransType;
save DestTransType;
#save ToOctets;
#save FromOctets;

count;

format FlowRuleSet FlowIndex FirstTime LastTime " "
# SourceKind DestKind FlowKind " "
SourcePeerType SourcePeerAddress SourcePeerMask DestPeerAddress
DestPeerMask" "
SourceTransType DestTransType " "
SourceTransAddress SourceTransMask DestTransAddress DestTransMask " "
ToPDUs FromPDUs " " ToOctets FromOctets;

statistics ;

When I try to 'save' FromOctets' i 'ToOctets', srl compiler gives an error.
Does this rule accumulate packets into flows when going for same ports on
same machines, or am I counting packets this way?

Thx.

Bye, M.

From netramet-owner Sat Feb 23 01:22:53 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA13205
for netramet-outgoing; Sat, 23 Feb 2002 01:20:37 +1300 (NZDT)
Received: from virgo.cus.cam.ac.uk ([email protected] [131.111.8.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA13200
for <[email protected]>; Sat, 23 Feb 2002 01:20:35 +1300 (NZDT)
Received: from ajms (helo=virgo.cus.cam.ac.uk)
by virgo.cus.cam.ac.uk with local-esmtp (Exim 4.00)
id 16eEgg-0004bB-00; Fri, 22 Feb 2002 12:20:30 +0000
To: Marin Orlic <[email protected]>
cc: [email protected]
Subject: Re: How to write a SRL file?
In-reply-to: Your message of "Fri, 22 Feb 2002 11:00:21 +0100."
<[email protected]>
From: "Tony Stoneley" <[email protected]>
Date: Fri, 22 Feb 2002 12:20:30 +0000
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

>save SourcePeerAddress;
>save DestPeerAddress;
>save SourceTransAddress;
>save DestTransAddress;
>save SourceTransType;
>save DestTransType;

As someone once bitten, I offer a warning. If this is on a network
exposed to the Big Bad Internet, which of course it may not be, I
predict that your flow tables will overflow. The Black Hats often try
to probe all possible ports on all possible addresses, a huge number of
individual tiny flows if you separate them all out like that. To minimise
the problem I do something like

if xxxTransAddress == interesting_port_list
save xxxTransAddress;
else save xxxTransAddress = 0.2; # (some fixed uninteresting value)

>When I try to 'save' FromOctets' i 'ToOctets', srl compiler gives an error.

That's good! "save" specifies that the attribute is to be used as part
of the flow identification. It makes no sense (in this context) to
classify a flow by the size of the packets in it. This may seem like a
strange use of the word "save", but it makes sense in the context of
the underlying flow matching engine (about which it's well worth a
general read, even if you're not going to program it directly).

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Sat Feb 23 03:00:05 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA19252
for netramet-outgoing; Sat, 23 Feb 2002 02:59:10 +1300 (NZDT)
Received: from s1.cip.ei.uni-stuttgart.de ([email protected] [129.69.174.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA19247
for <[email protected]>; Sat, 23 Feb 2002 02:59:08 +1300 (NZDT)
Received: from l1 (IDENT:[email protected] [129.69.174.11]) by s1.cip.ei.uni-stuttgart.de (8.9.3 (PHNE_22672)/8.8.3) with SMTP id OAA17673 for <[email protected]>; Fri, 22 Feb 2002 14:59:04 +0100 (MET)
Received: by l1 (sSMTP sendmail emulation); Fri, 22 Feb 2002 14:59:04 +0100
Date: Fri, 22 Feb 2002 14:59:04 +0100
From: David Martinez Castellanos <[email protected]>
To: [email protected]
Subject: Question about NeMac
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: [email protected]
Precedence: bulk

Dear Mr. Brownlee and Dear all

I'm a student of the Stuttgart University and I'm working in the
RechenZentrum
(RUS) dealing with NeTraMet and NeMac.

I've proved it in an IPv6 environment and it works really fine but now I
want to modify the source code to access a MySQL Database instead of sending
the collection of data to the log file "XXX.XXX.XXX.XXX.flows.00X".

Could you tell me in which c-source file can I find the "fopen" (or other
instruction)
where the log file is created?.

THANK YOU VERY MUCH FOR YOUR HELP IN ADVANCE.

David Martinez

From netramet-owner Sat Feb 23 03:08:20 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id DAA19862
for netramet-outgoing; Sat, 23 Feb 2002 03:08:17 +1300 (NZDT)
Received: from rasips1.rasip.fer.hr ([email protected] [161.53.67.2])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id DAA19856
for <[email protected]>; Sat, 23 Feb 2002 03:08:09 +1300 (NZDT)
Received: from there (nidhogg.rasip.fer.hr [161.53.67.126])
by rasips1.rasip.fer.hr (8.8.8/8.8.8) with SMTP id PAA26685
for <[email protected]>; Fri, 22 Feb 2002 15:06:21 +0100 (MET)
Message-Id: <[email protected]>
Content-Type: text/plain;
charset="iso-8859-1"
From: Marin Orlic <[email protected]>
Organization: FER
To: [email protected]
Subject: Re: How to write a SRL file?
Date: Fri, 22 Feb 2002 15:09:51 +0100
X-Mailer: KMail [version 1.3.1]
References: <[email protected]>
In-Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: [email protected]
Precedence: bulk

On Friday 22 February 2002 13:20 Tony Stoneley wrote:
> >save SourcePeerAddress;
> >save DestPeerAddress;
> >save SourceTransAddress;
> >save DestTransAddress;
> >save SourceTransType;
> >save DestTransType;
>
> As someone once bitten, I offer a warning. If this is on a network
> exposed to the Big Bad Internet, which of course it may not be, I
> predict that your flow tables will overflow. The Black Hats often try
> to probe all possible ports on all possible addresses, a huge number of
> individual tiny flows if you separate them all out like that. To minimize
> the problem I do something like

Yes, I'm aware of that... Well, this is supposed to be on a network that has
access to Internet, but it's behind a firewall (which still doesn't help me
:)..I've tried port scanners on one machine to see what happens, and I do get
a bunch of small flows going on consecutive ports... Unfortunately, we need
to monitor everything... Which is the major problem... How large is the flow
table (I can go through the sources, but if you know, it would be a help :)?

> if xxxTransAddress == interesting_port_list
> save xxxTransAddress;
> else save xxxTransAddress = 0.2; # (some fixed uninteresting value)

Yes, but first I need to get the list of interesting ports :) Which currently
is "*" :)))

> >When I try to 'save' FromOctets' i 'ToOctets', srl compiler gives an
> > error.
> That's good! "save" specifies that the attribute is to be used as part
> of the flow identification. It makes no sense (in this context) to
> classify a flow by the size of the packets in it. This may seem like a
> strange use of the word "save", but it makes sense in the context of
> the underlying flow matching engine (about which it's well worth a
> general read, even if you're not going to program it directly).

Aaaaaaa, that makes a lot more sense now :)) So, 'save' actually means - save
for create a key for hashing, or something like that... I've read some about
packet maching engine but obviously not enough :)))

Now that you've mentioned it, is there any reading about packet matching
engine other than NeTraMet & NeMaC reference manual?

Thanks!

Bye,M.

From netramet-owner Sat Feb 23 04:45:08 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA26596
for netramet-outgoing; Sat, 23 Feb 2002 04:42:59 +1300 (NZDT)
Received: from mail.zrz.tu-berlin.de (mail.zrz.TU-Berlin.DE [130.149.4.15])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA26586
for <[email protected]>; Sat, 23 Feb 2002 04:42:57 +1300 (NZDT)
Received: from wncs.zrz.tu-berlin.de ([130.149.2.12])
by mail.zrz.tu-berlin.de with esmtp (exim-3.35)
id 16eHqN-0000Wx-00; Fri, 22 Feb 2002 16:42:43 +0100
Received: from wncs.zrz.TU-Berlin.DE by wncs.zrz.TU-Berlin.DE (8.8.8/ZRZ-Gen-8)
with ESMTP id QAA21806;
Fri, 22 Feb 2002 16:42:41 +0100 (MET)
Message-Id: <[email protected]>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Marin Orlic <[email protected]>
Cc: [email protected]
Subject: Re: How to write a SRL file?
In-reply-to: Your message of "Fri, 22 Feb 2002 15:09:51 +0100"
<[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 22 Feb 2002 16:42:41 +0100
From: Dieter Kasielke <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello Marin,

here is an example of the ruleset you need (at least i hope so):
#
if SourcePeerType == IP save, {

save SourcePeerAddress; # IP addresses
save DestPeerAddress;
save SourceTransType; # IP protocol number
if SourceTransType == TCP || SourceTransType == UDP {
save SourceTransAddress;
save DestTransAddress;
}
count;
}
else ignore; # NOT an IP packet

set 2;

format
flowindex firsttime SourcePeerAddress DestPeerAddress
SourceTransType SourceTransAddress DestTransAddress
topdus tooctets frompdus fromoctets;

Have fun, Dieter

On Fri, 22 Feb 2002 15:09:51 +0100 Marin Orlic wrote:
> On Friday 22 February 2002 13:20 Tony Stoneley wrote:
> > >save SourcePeerAddress;
> > >save DestPeerAddress;
> > >save SourceTransAddress;
> > >save DestTransAddress;
> > >save SourceTransType;
> > >save DestTransType;
> >
> > As someone once bitten, I offer a warning. If this is on a network
> > exposed to the Big Bad Internet, which of course it may not be, I
> > predict that your flow tables will overflow. The Black Hats often try
> > to probe all possible ports on all possible addresses, a huge number of
> > individual tiny flows if you separate them all out like that. To minimize
> > the problem I do something like
>
> Yes, I'm aware of that... Well, this is supposed to be on a network that has
> access to Internet, but it's behind a firewall (which still doesn't help me
> :)..I've tried port scanners on one machine to see what happens, and I do get
> a bunch of small flows going on consecutive ports... Unfortunately, we need
> to monitor everything... Which is the major problem... How large is the flow
> table (I can go through the sources, but if you know, it would be a help :)?
>
> > if xxxTransAddress == interesting_port_list
> > save xxxTransAddress;
> > else save xxxTransAddress = 0.2; # (some fixed uninteresting value)
>
> Yes, but first I need to get the list of interesting ports :) Which currently
> is "*" :)))
>
> > >When I try to 'save' FromOctets' i 'ToOctets', srl compiler gives an
> > > error.
> > That's good! "save" specifies that the attribute is to be used as part
> > of the flow identification. It makes no sense (in this context) to
> > classify a flow by the size of the packets in it. This may seem like a
> > strange use of the word "save", but it makes sense in the context of
> > the underlying flow matching engine (about which it's well worth a
> > general read, even if you're not going to program it directly).
>
> Aaaaaaa, that makes a lot more sense now :)) So, 'save' actually means - save
> for create a key for hashing, or something like that... I've read some about
> packet maching engine but obviously not enough :)))
>
> Now that you've mentioned it, is there any reading about packet matching
> engine other than NeTraMet & NeMaC reference manual?
>
> Thanks!
>
> Bye,M.

---
Dieter Kasielke, ZRZ (Zentraleinrichtung Rechenzentrum), Sekr.: EN 50,
Technische Universitaet Berlin, Einsteinufer 17, D-10587 Berlin, GERMANY.
email: [email protected], phone: +49 30 314 - 23733, fax: - 21060

From netramet-owner Sat Feb 23 04:47:34 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id EAA26973
for netramet-outgoing; Sat, 23 Feb 2002 04:47:32 +1300 (NZDT)
Received: from archief.telin.nl ([195.169.16.25])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id EAA26968
for <[email protected]>; Sat, 23 Feb 2002 04:47:30 +1300 (NZDT)
Received: from telin.nl ([195.169.16.64])
by archief.telin.nl (Lotus Domino Release 5.0.8)
with ESMTP id 2002022216534314:8953 ;
Fri, 22 Feb 2002 16:53:43 +0100
Message-ID: <[email protected]>
Date: Fri, 22 Feb 2002 16:46:57 +0100
From: Remco Poortinga <[email protected]>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: David Martinez Castellanos <[email protected]>
CC: [email protected]
Subject: Re: Question about NeMac
References: <[email protected]>
X-MIMETrack: Itemize by SMTP Server on ARCHIEF/SRV/TELIN/NL(Release 5.0.8 |June 18, 2001) at
02/22/2002 04:53:43 PM,
Serialize by Router on ARCHIEF/SRV/TELIN/NL(Release 5.0.8 |June 18, 2001) at
02/22/2002 04:54:17 PM,
Serialize complete at 02/22/2002 04:54:17 PM
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

David Martinez Castellanos wrote:
>
> Dear Mr. Brownlee and Dear all

Hello David,

>
> I'm a student of the Stuttgart University and I'm working in the
> RechenZentrum
> (RUS) dealing with NeTraMet and NeMac.
>
> I've proved it in an IPv6 environment and it works really fine but now I
> want to modify the source code to access a MySQL Database instead of sending
> the collection of data to the log file "XXX.XXX.XXX.XXX.flows.00X".

There are several approaches possible in order to get the flow
information in a MySql database.
The method I used last year was making a meter reader to read the flow
information from NeTraMet (using SNMP) and store it in a (MySQL)
database. Unfortunately it is not IPv6 ready, but maybe it's useful as a
starting point?
see
http://mr2mysql.sourceforge.net/

Cheers,

Remco

Remco Poortinga
Telematica Instituut
Enschede, the Netherlands
+31 53 485 04 92

>
> Could you tell me in which c-source file can I find the "fopen" (or other
> instruction)
> where the log file is created?.
>
> THANK YOU VERY MUCH FOR YOUR HELP IN ADVANCE.
>
> David Martinez

From netramet-owner Sat Feb 23 05:09:09 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id FAA28484
for netramet-outgoing; Sat, 23 Feb 2002 05:08:41 +1300 (NZDT)
Received: from virgo.cus.cam.ac.uk ([email protected] [131.111.8.20])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id FAA28478
for <[email protected]>; Sat, 23 Feb 2002 05:08:39 +1300 (NZDT)
Received: from ajms (helo=virgo.cus.cam.ac.uk)
by virgo.cus.cam.ac.uk with local-esmtp (Exim 4.00)
id 16eIFR-0004hQ-00
for [email protected]; Fri, 22 Feb 2002 16:08:37 +0000
To: [email protected]
Subject: Re: How to write a SRL file?
In-reply-to: Your message of "Fri, 22 Feb 2002 15:09:51 +0100."
<[email protected]>
From: "Tony Stoneley" <[email protected]>
Date: Fri, 22 Feb 2002 16:08:37 +0000
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

>Now that you've mentioned it, is there any reading about packet matching
>engine other than NeTraMet & NeMaC reference manual?

You probably want to look at RFC 2722 "Traffic Flow Measurement:
Architecture", in particular section 4 therein.

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Sat Feb 23 07:25:35 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA08228
for netramet-outgoing; Sat, 23 Feb 2002 07:24:43 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA08216
for <[email protected]>; Sat, 23 Feb 2002 07:24:39 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Fri, 22 Feb 2002 10:27:01 -0800 (PST)
From: [email protected]
Subject: List of NeTraMet documents
To: [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

Hi all:

This note is an attempt to list all the documentation for NeTraMet.
If you can add any items to the list, please email me, I'll add
them to it.

Thanks, Nevil

-----------------------------------------------------------------------
Nevil Brownlee Director, Technology Development
Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland
FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand

NeTraMet documents list

Nevil Brownlee, Fri 22 Feb 02

A) Manuals (from www.auckland.ac.nz/net/NeTraMet):

These are the manuals that go with the current NeTraMet production version.
I'm working on updated versions for the 4.4 release, which is ready now.

- NeTraMet v4.2 Users' Guide / Release Notes:
srl, NetFlowMet, how to move from v3 to v4.
- srl Users' Guide SRL: A high-level Ruleset Language and its compiler
- NeTraMet& NeMaC Reference Manual v4.3 The "NeTraMet Manual"
- nm_rc A Remote Console for NeTraMet
- nifty An X-Windows Network Traffic Flow Analyser
- fd_filter and fd_extract NeTraMet flow data file Utility Programs

B) Nevil's Papers

These can be found on the CAIDA web site, look for 'Brownlee' on the
http://www.caida.org/outreach/papers/byauthor page.

"Using NeTraMet for Production Traffic Measurement," IM2001
This is an introduction to RTFM and NeTraMet. It explains what
the system does, and how to get started with it.

"Streams, Flows and Torrents" and
"Methodology for passive analysis of a university Internet link," PAM2001
Two papers describing measurements of distribution-valued attributes,
with considerable detail on the experimental design, including some
discussion of the rulesets used.

C) RTFM-related RFCs

2721 RTFM Applicability Statement
2722 Traffic Flow Measurement: Architecture
2720 Traffic Flow Measurement: Meter MIB
2723 SRL: A Simple Ruleset Language
2724 New Attributes for Traffic Flow Measurement

2123 Traffic Flow Measurement: Experiences with NeTraMet
1272 Internet Accounting: Background

---------------------------------------------------------------------------

From netramet-owner Sat Feb 23 07:58:00 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id HAA11323
for netramet-outgoing; Sat, 23 Feb 2002 07:57:29 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id HAA11314
for <[email protected]>; Sat, 23 Feb 2002 07:57:25 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Fri, 22 Feb 2002 10:59:47 -0800 (PST)
From: [email protected]
Subject: NeMaC: how it writes files
To: [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

Hello David:

> I've proved it in an IPv6 environment and it works really fine but now I
> want to modify the source code to access a MySQL Database instead of sending
> the collection of data to the log file "XXX.XXX.XXX.XXX.flows.00X".
>
> Could you tell me in which c-source file can I find the "fopen" (or other
> instruction) where the log file is created?.

NeMaC opens flow data files (and writes the ## header record to them)
in open_datafile(), which is in manager/nmc.c
Data records are written via calls to printfd(), you'll probably want to
look at each of the calls. Especially the one in process_row(), which
is the function called from nmc_snmp.c to write the attribute values.

Log files are written via calls on log_msg(), which is in nmc_pars.c.
log_msg() checks whether the log file has been opened; if not it
will open it, using the command line parameters to determine the
log file name.

Cheers, Nevil

-----------------------------------------------------------------------
Nevil Brownlee Director, Technology Development
Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland
FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand

From netramet-owner Sat Feb 23 14:28:53 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id OAA15037
for netramet-outgoing; Sat, 23 Feb 2002 14:24:24 +1300 (NZDT)
Received: from login.caida.org (login.caida.org [192.172.226.78])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id OAA15029
for <[email protected]>; Sat, 23 Feb 2002 14:24:22 +1300 (NZDT)
Received: from login.caida.org (localhost [127.0.0.1])
by login.caida.org (8.12.1/8.12.1) with ESMTP id g1N1N6bf003543;
Fri, 22 Feb 2002 17:23:06 -0800 (PST)
Received: from localhost (nevil@localhost)
by login.caida.org (8.12.1/8.12.1/Submit) with ESMTP id g1N1N5QQ003540;
Fri, 22 Feb 2002 17:23:05 -0800 (PST)
Date: Fri, 22 Feb 2002 17:23:05 -0800 (PST)
From: Nevil Brownlee <[email protected]>
To: Marin Orlic <[email protected]>
cc: [email protected]
Subject: Re: NeMaC (srl) limitations, NeTraMet -l switch
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hi Marin:

> as far as I know, the maximum length of command-line parameter for NeMaC is
> 64 chars, this causes a problem with IPmeter (www.ipmeter.com) using NeMaC
> because the path of NeMaC configuration file is sometimes longer than that.
> How complicated is to enlarge that buffer (just one #define somewhere or
> something more?)...

Simplest way around this would be to make a symbolic link to your long
file name, and use the link on NeMaC's command line.

> I had a particularly stupid written SRL file which then compiles into rule
> file with more than 656 symbols, so I've changed the hash table size #defines
> in srl.h for srl and corresponding entries for NeMaC (nmc_something files)...
> What effect do this settings have on meters (as far as I know, maximum number
> of rules per meter is 2000, but there's no note on number of symbols). Any
> comments.

Changing the SRL compiler hash table size is no problem.
You can set the maximum number of rules as a NeTraMet command-line
parameter, e.g. ./NeTraMet -u 20000 would set it to 20000.
Having a large number of rules probably won't have too much of
an effect on the meter. The SRL compiler optimises tests on
long lists of addresses for the same attribute, so they're
executed as single hashed lookups. Try it and see.

> What does '-l' switch on NeTraMet actually do? In docs it says it tells
> NeTraMet to take packet length from IP headers. What happens if the switch is
> used and what if it isn't used - I've started two sets of meters/collectors,
> one with -l other without, applied the same ruleset and the results were the
> same (as long as NeMaCs stayed in sync - I couldnt've used just one NeMaC, so
> after a while collection times for NeMaCs were 1 second apart and the results
> stopped matching..). Has anyone had any experience with this?

-l says 'use the length field from IP packet headers when counting
the number of bytes in a flow.' If you don't use -l, NeTraMet uses
the actual number of bytes it gets from the metering interface, e.g.
for an Ethernet interface that will be 12 more than the IP length.

BTW, NeTraMet, NeMaC, etc. will display a list of their command-line
options if you invoke them with no parameters.

Cheers, Nevil

-------------------------------------------------------------
Nevil Brownlee Internet Researcher
Phone: (858) 534 8338 CAIDA, San Diego

On Fri, 22 Feb 2002, Marin Orlic wrote:

> Hi all,
>
>
> Thank you...
>
> Bye, M.
>

From netramet-owner Wed Feb 27 08:14:36 2002
Received: (from majordom@localhost)
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA04493
for netramet-outgoing; Wed, 27 Feb 2002 08:11:20 +1300 (NZDT)
Received: from auckland.ac.nz ([email protected] [130.216.3.1])
by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id IAA02934;
Wed, 27 Feb 2002 08:02:48 +1300 (NZDT)
Message-Id: <[email protected]>
Date: Tue, 26 Feb 2002 11:05:07 -0800 (PST)
From: [email protected]
Subject: Fwd: PAM2002 Registion is Open
To: [email protected], [email protected]
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: [email protected]
Precedence: bulk

------ Forwarded message ------

[Our apologies if you receive multiple copies of this announcement.]

Passive & Active Measurement: PAM 2002

A workshop on passive and active measurement and analysis techniques
for high speed computer networks and the Internet

Fort Collins, Colorado, USA
March 25-26, 2002

To register, go to
http://www.labs.agilent.com/hosted/conferences/pam2002/registration/

PAM 2002 is a two-day event focusing on research and practical
applications of passive and active measurement and analysis techniques
for high speed computer networks and the Internet.

Registration for this workshop is now. The cost of the workshop is
$300 (US). Attendance will be limited. The preliminary program is
available on the website.

Contact information:

* PAM 2002
c/o Agilent Laboratories
4800 Wheaton Dr
Fort Collins, CO 80525
USA
* Phone: +1-970-288-3821
* Fax: +1-970-288-4234
* Email: [email protected]
* Webpage: http://www.labs.agilent.com/pam2002