From netramet-owner  Tue Dec 12 02:42:42 1995
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id CAA19394 for netramet-outgoing; Tue, 12 Dec 1995 02:36:58 +1300 (NZDT)
Received: from crc.u-strasbg.fr (crc.u-strasbg.fr [130.79.200.20]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id CAA19388 for <[email protected]>; Tue, 12 Dec 1995 02:36:37 +1300 (NZDT)
Received: (from wagner@localhost) by crc.u-strasbg.fr (8.6.11/8.6.9) id NAA24793 for [email protected]; Mon, 11 Dec 1995 13:59:22 +0100
Date: Mon, 11 Dec 1995 13:59:22 +0100
From: Denis Wagner - Centre Reseau Communication - Universite Louis Pasteur <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: rules files
X-Sun-Charset: US-ASCII
Sender: [email protected]
Precedence: bulk

Hello,
I tried to build a rule file to know WWW trafic on a subnet.
I designed the rule like this :

---------------------------------------------------------------------

#
SET 5
#
RULES
#
# I select IP trafic at first
#
  SourcePeerType & 255 = IP:  PushtoAct, IP_pkt;
#
IP_pkt:
#
# I take this following lines from an example
#
 SourcePeerAddress & 255.255.255.0 = 0.0.0.0: PushPkttoAct, Next;
 DestPeerAddress   & 255.255.255.0 = 0.0.0.0: PushPktto, Next;
#
 SourceTransType & 255 = tcp:    Pushto, tcp_udp;
 SourceTransType & 255 = udp:    Pushto, tcp_udp;
#
tcp_udp:
s_www:
 SourceTransAddress & 255.255 = www:     PushtoAct, c_trans_source;
#
#
 DestTransAddress & 255.255 = www:       GotoAct, s_www;
#
c_trans_source:
 SourceTransType    & 255 = 0:     CountPkt, 0;
#
#
FORMAT
 SourceTransAddress"     "DestTransAddress"     "FromPDUs"     "ToPDUs
"     "SourcePeerType"     "SourceTransType"     "SourcePeerAddress"     "DestPeerAddress;
#
# end of file

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------

the result is :

-----------------------------------------------------------------------------

##NeTraMet v3.3:   -c60 -r rules.dw2  netmgr le0  2600 flows  starting at 13:27:15 Mon 11 Dec 95
#Format: sourcetransaddress     desttransaddress     frompdus     topdus     sourcepeertype     sourcetranstype     sourcepeeraddress     destpeeraddress
#Time: 13:27:15 Mon 11 Dec 95 netmgr Flows from 1 to 1300
0     0     0     635     7     0     0.0.0     0.0.0
0     0     0     1393     2     0     0.0.0.0     0.0.0.0
0     0     0     106     12     0     00-00     00-00
0     0     0     55     6     0     0.0.0.0     0.0.0.0
0     0     0     5     5     0     0.0.0     0.0.0
#Time: 13:28:00 Mon 11 Dec 95 netmgr Flows from 1299 to 5800
80     0     11     12     2     6     130.79.54.0     130.79.200.0
80     0     0     58     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
80     0     37     41     2     6     130.79.17.0     130.79.200.0
#Time: 13:29:00 Mon 11 Dec 95 netmgr Flows from 5799 to 11800
80     0     15     18     2     6     130.79.54.0     130.79.200.0
80     0     0     80     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
80     0     18     25     2     6     130.79.16.0     130.79.200.0
#Time: 13:30:00 Mon 11 Dec 95 netmgr Flows from 11799 to 17800
80     0     0     138     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
80     0     20     23     2     6     130.79.36.0     130.79.200.0
80     0     45     49     2     6     130.79.144.0     130.79.200.0
#Time: 13:31:00 Mon 11 Dec 95 netmgr Flows from 17799 to 23800
80     0     0     166     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
80     0     21     20     2     6     130.79.112.0     130.79.200.0
#Time: 13:32:00 Mon 11 Dec 95 netmgr Flows from 23799 to 29800
80     0     0     248     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
80     0     107     113     2     6     130.79.112.0     130.79.200.0
80     0     4     6     2     6     130.79.35.0     130.79.200.0
#Time: 13:33:00 Mon 11 Dec 95 netmgr Flows from 29799 to 35800
80     0     0     390     0     6     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00     00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

----------------------------------------------------------------------------

In the result file I have not only SourceTransAddress = 80 but in the same time Adresse 0 : why?

Iwoult hope to know the adresse of the host 130.79.200.12 but I have the adresse of the sub-net 130.79.200.00.

In the same time I have a CLNS addresse I test IP trafic.

I don't know where I fail, can anyone help me?.

       Thanks Denis.

From netramet-owner  Sat Dec 16 03:59:01 1995
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id DAA11004 for netramet-outgoing; Sat, 16 Dec 1995 03:51:25 +1300 (NZDT)
Received: from crc.u-strasbg.fr (crc.u-strasbg.fr [130.79.200.20]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id DAA10999 for <[email protected]>; Sat, 16 Dec 1995 03:51:18 +1300 (NZDT)
Received: (from wagner@localhost) by crc.u-strasbg.fr (8.6.11/8.6.9) id PAA12887 for [email protected]; Fri, 15 Dec 1995 15:45:08 +0100
Date: Fri, 15 Dec 1995 15:45:08 +0100
From: Denis Wagner - Centre Reseau Communication - Universite Louis Pasteur <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: NeTraMet
X-Sun-Charset: US-ASCII
Sender: [email protected]
Precedence: bulk

Hello,
I use NeTraMet with the rule file :

#
SET 7
#
RULES
 SourcePeerType & 255 = IP:         PushtoAct, IP_pkt;
 Null & 0 = 0:                      Ignore, 0;
#
IP_pkt:  # Tally IP traffic by (Class C) subnet
 SourcePeerAddress  & 255.255.255.255 = 0: PushPktToAct, Next;
 DestPeerAddress    & 255.255.255.255 = 0: PushPktto, Next;
#
SourceTransType & 255 = tcp:    Pushto, s_tcp;
Null & 0 = 0:                   Ignore, 0;
#
#
s_tcp:
#s_www:
#       SourceTransAddress & 255.255 = www:     PushtoAct, c_trans_source;

s_ftpdata:
       SourceTransAddress & 255.255 = ftpdata: PushtoAct, c_trans_source;

#s_smtp:
#       SourceTransAddress & 255.255 = smtp:    PushtoAct, c_trans_source;

s_ftp:
       SourceTransAddress & 255.255 = ftp:     PushtoAct, c_trans_source;
#
#
#DestTransAddress &255.255 =www:                GotoAct, s_www;
DestTransAddress &255.255 =ftpdata:     GotoAct, s_ftpdata;
#DestTransAddress &255.255 =smtp:       GotoAct, s_smtp;
DestTransAddress &255.255 =ftp:         GotoAct, s_ftp;

#
#
c_trans_source:
       SourceTransType & 255 = 0:      CountPkt, 0;
#

-------------------------------------------------------------------------------

The File result is :

##NeTraMet v3.3:   -c15 -r rules.dw8  netmgr le0  2600 flows  starting at 15:27:25 Fri 15 Dec 95
#Format: flowruleset flowindex firsttime lasttime sourcepeertype sourcepeeraddress destpeeraddress sourcetranstype sourcetransaddress desttransaddress topdus frompdus tooctets fromoctets topdurate frompdurate tooctetrate fromoctetrate
#Time: 15:27:25 Fri 15 Dec 95 netmgr Flows from 1 to 2500
#Time: 15:27:30 Fri 15 Dec 95 netmgr Flows from 2499 to 3000
#Time: 15:27:45 Fri 15 Dec 95 netmgr Flows from 2999 to 4500
#Time: 15:28:00 Fri 15 Dec 95 netmgr Flows from 4499 to 6000
#Time: 15:28:15 Fri 15 Dec 95 netmgr Flows from 5999 to 7500
#Time: 15:28:30 Fri 15 Dec 95 netmgr Flows from 7499 to 9000
7 8 8400 8600 2 130.79.200.12 130.79.200.20 6 20 0 1044 443 1459678 26580 1044 443 1459678 26580
#Time: 15:28:45 Fri 15 Dec 95 netmgr Flows from 8999 to 10500
#Time: 15:29:00 Fri 15 Dec 95 netmgr Flows from 10499 to 12000
#Time: 15:29:15 Fri 15 Dec 95 netmgr Flows from 11999 to 13500
#Time: 15:29:30 Fri 15 Dec 95 netmgr Flows from 13499 to 15000
7 8 8400 13900 2 130.79.200.12 130.79.200.20 6 20 0 2088 886 2919356 53160 1044 443 1459678 26580
#Time: 15:29:45 Fri 15 Dec 95 netmgr Flows from 14999 to 16500
#Time: 15:30:00 Fri 15 Dec 95 netmgr Flows from 16499 to 18000
#Time: 15:30:15 Fri 15 Dec 95 netmgr Flows from 17999 to 19500

-------------------------------------------------------------------------------

So I create a filter file like this :

FORMAT:
FlowRuleSet FlowIndex FirstTime LastTime SourcePeerType SourcePeerAddress DestPeerAddress SourceTransType SourceTransAddress DestTransAddress ToPDUs FromPDUs ToOctets FromOctets ToPduRate FromPduRate ToOctetRate FromOctetRate;
Tag 1:
       SourceTransAddress = ftpdata;

The result is :

##NeTraMet v3.3:   -c15 -r rules.dw8  netmgr le0  2600 flows  starting at 15:27:25 Fri 15 Dec 95
#Format: flowruleset flowindex firsttime lasttime sourcepeertype sourcepeeraddress destpeeraddress sourcetranstype sourcetransaddress desttransaddress topdus frompdus tooctets fromoctets topdurate frompdurate tooctetrate fromoctetrate
#Time: 15:27:25 Fri 15 Dec 95 netmgr Flows from 1 to 2500
#Time: 15:27:30 Fri 15 Dec 95 netmgr Flows from 2499 to 3000
#Time: 15:27:45 Fri 15 Dec 95 netmgr Flows from 2999 to 4500
#Time: 15:28:00 Fri 15 Dec 95 netmgr Flows from 4499 to 6000
#Time: 15:28:15 Fri 15 Dec 95 netmgr Flows from 5999 to 7500
#Time: 15:28:30 Fri 15 Dec 95 netmgr Flows from 7499 to 9000
7 8 8400 8600 2 130.79.200.12 130.79.200.20 6 20 0 1044 443 1459678 26580 1044 443 1459678 26580
#Time: 15:28:45 Fri 15 Dec 95 netmgr Flows from 8999 to 10500
#Time: 15:29:00 Fri 15 Dec 95 netmgr Flows from 10499 to 12000
#Time: 15:29:15 Fri 15 Dec 95 netmgr Flows from 11999 to 13500
#Time: 15:29:30 Fri 15 Dec 95 netmgr Flows from 13499 to 15000
7 8 8400 13900 2 130.79.200.12 130.79.200.20 6 20 0 2088 886 2919356 53160 1044 443 1459678 26580
#Time: 15:29:45 Fri 15 Dec 95 netmgr Flows from 14999 to 16500
#Time: 15:30:00 Fri 15 Dec 95 netmgr Flows from 16499 to 18000
#Time: 15:30:15 Fri 15 Dec 95 netmgr Flows from 17999 to 19500

--------------------------------------------------------------------------------

I create an extract file for ftp_data :

time: elapsed seconds;

column: 2       ToOctetRate                     Tag 1;

The result is :

5  0
20  0
35  0
50  0
65  0
80  0
95  0
110  0
125  0
140  0
155  0

-------------------------------------------------------------------------------

I don't understand how the time is calculated and why the result in column 2 is 0. I'd hope to have only to times corresponding to the 2 lines where there are ftpdata and the result 1459678 each time for ToOctetRate.
Can someone explain to me where I fail and why there are not 2 times?.

       Thanks,
               Denis

From netramet-owner  Tue Dec 19 03:32:41 1995
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id DAA24745 for netramet-outgoing; Tue, 19 Dec 1995 03:28:10 +1300 (NZDT)
Received: from iconz.co.nz (iconz.co.nz [202.14.100.2]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id DAA24740 for <[email protected]>; Tue, 19 Dec 1995 03:28:08 +1300 (NZDT)
Received: (rowan@localhost) by iconz.co.nz (8.6.12/8.6.10) id DAA18599; Tue, 19 Dec 1995 03:28:05 +1300
Date: Tue, 19 Dec 1995 03:28:04 +1300 (NZDT)
From: Rowan Smith <[email protected]>
To: [email protected]
Subject: Mangled packet.
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk


What does this error mean, when presented by the Manager?

Netramet was running quite happily on my SS20, until I launched a SATAN
scan on it, then NeMaC printed "Mangled Packet" 11 times down the screen,
and the Meter switched to the default rule set.

I assume that the default rule set is the emergency set when one isn't
specified?

I was runing the rules.ipport rulefile provided with the netramet
distribution.

Thanks in advance
-Rowan

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.