From netramet-owner Thu Jan 4 13:06:13 1996

From netramet-owner Thu Jan 4 13:06:13 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id NAA25734 for netramet-outgoing; Thu, 4 Jan 1996 13:03:51 +1300 (NZDT)
Received: from homer.is.com.fj (homer.is.com.fj [202.62.124.238]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id NAA25721 for <[email protected]>; Thu, 4 Jan 1996 13:03:48 +1300 (NZDT)
Received: from it.is.com.fj (it.is.com.fj [202.62.124.233]) by homer.is.com.fj (8.7.1/8.7.1) with SMTP id MAA09996 for <[email protected]>; Thu, 4 Jan 1996 12:03:43 +1200 (GMT-12)
Date: Thu, 4 Jan 1996 12:03:43 +1200 (GMT-12)
Message-Id: <[email protected]>
X-Sender: [email protected] (Unverified)
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: [email protected]
From: Ilaitia Tuisawau <[email protected]>
Subject: Installation - Simple question
Sender: [email protected]
Precedence: bulk

This may seem like a simple trivial question, but how do I fully install
NeTraMet? I am running BSD Internet Software (based on BSD 4.4 Lite) on a
Pentium-100.

I have already gunziped and untarred the files, where do I go from here??
I've tried 'make' in the various UNIX flavours directories, but they all
give some sort of error.

Your assistance would be greatly appreciated.

From netramet-owner Fri Jan 5 13:58:58 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id NAA25490 for netramet-outgoing; Fri, 5 Jan 1996 13:57:52 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id NAA25485; Fri, 5 Jan 1996 13:57:50 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id NAA04184; Fri, 5 Jan 1996 13:57:48 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Re: Installing NeTraMet.
To: [email protected] (Ilaitia Tuisawau)
Date: Fri, 5 Jan 1996 13:57:47 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Ilaitia Tuisawau" at Dec 22, 95 03:55:12 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello Ilaitia:

> We are currently trying to install the NeTraMet software on to a Digital
> Prioris XL5100 running BSD Internet S/W (based on BSD 4.4 Lite). Somehow it
> is unable to make the Makefile.snmp file in ~/doc/snmp. It gives us a
> "cannot make all" error. Are we doing something seriously wrong?

The doc/snmp Makefile is the original CMU one; I haven't used it
for a long time.

The way to do build NeTraMet is as follows:

* Choose one of the Unix systems - I'd guess that the Linux one should
be a good starting point.

* cd into Linux/snmp and try make there. This will run the Linux
Makefile for the snmp library. It assumes you're using the Gnu C
compiler, so you'll need to modify it to use another compiler.

* repeat this for Linx/meter and Linux/manager.

There are two 'usual' problems to look at. First, your system may
not have all the #include files the source code wants. This isn't
often a problem for /snmp or /manager, since they only need the ordinary
system and socket includes. /meter may be a problem - the compiler will
tell you which files are needed. You may be able to simply comment out
the #include (try this first, then you can see which variables it
wants to use), otherwise you have to find your system's #includes for
them (you can grep through /usr/include/*.h).

The second problem concerns /meter. This requires libpcap to be
available on your system - without that you can't run the meter.
Instructions on finding libpcap and installing it are in the
/doc/NeTraMet/version.history file. Alternatively you can decide
not to build a Unix meter, and simply use the PC one, which has
a .EXE file in the /pc directory.

> Also can the PC version run on Windows 3.11 or Win95 with the inbuilt
> stack? (Rather than Waterloo TCP/IP)

No. At least, not right now. It might be a good thing to build a
Windows version of the meter which used Winsock or the Windows 95 (I
won't call it 'win'), but no-one has ported it to that environment yet.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

From netramet-owner Fri Jan 5 14:03:30 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id OAA25679 for netramet-outgoing; Fri, 5 Jan 1996 14:03:29 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id OAA25674; Fri, 5 Jan 1996 14:03:27 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id OAA04509; Fri, 5 Jan 1996 14:03:26 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Re: NeTraMet on Digital Unix?
To: [email protected] (Mark Prior)
Date: Fri, 5 Jan 1996 14:03:26 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Mark Prior" at Dec 29, 95 02:56:38 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello Mark:

> Do you know if anyone has ported NeTraMet to Digital Unix (aka OSF/1)?
> I was thinking of having a go but would be very happy to avoid the
> effort if it's been done before :-) I expect at a minimum I will need
> to junk the snmplib provided and use the UCD version instead which is
> already 64 bit clean.

Yes. I did it for a group in Darwin late last year. You shouldn't
have any problems building it using the Makefiles in the /ultrix
directories.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

From netramet-owner Fri Jan 5 14:16:57 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id OAA25986 for netramet-outgoing; Fri, 5 Jan 1996 14:16:55 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id OAA25981; Fri, 5 Jan 1996 14:16:54 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id OAA06549; Fri, 5 Jan 1996 14:16:51 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Re: NeMaC loop
To: [email protected] (Maciek Uhlig)
Date: Fri, 5 Jan 1996 14:16:51 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Maciek Uhlig" at Dec 8, 95 07:30:33 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello Uhlig:

> Everything seems to work OK but I found that aborting (ESC) NetRaMet on
> the PC causes infinite loop of NeMaC on the Sun when the first collection
> after regaining connection (ie. restarting the meter) occurs
> (rules.sample is being used for testing purposes).
>
> I joined your mailing list and I'd like to ask you:
> - do you know the described behaviour and possibly the solution?
> - if not, are you interested in debugging the problem?

I'm certainly interested in debugging the problem, and I haven't seen
that problem exactly. However I have seen similar problems with
NeMaC looping on SunOS and Solaris. Could you please try the 3.3beta
version (ftp://pub/iawg/NeTraMet/33Solaris.tar.gz), and let me know
whether that solves the problem or not. If it doesn't, I'll try to
reproduce the problem gere.

> - are there any archives of the mailing list?

Yes, they're in ftp://pub/iawg/NeTraMet/ml-archive.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

From netramet-owner Fri Jan 5 15:25:04 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id PAA27521 for netramet-outgoing; Fri, 5 Jan 1996 15:24:59 +1300 (NZDT)
Received: from jarrah.itd.adelaide.edu.au ([email protected] [129.127.40.12]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id PAA27516; Fri, 5 Jan 1996 15:24:55 +1300 (NZDT)
Received: by jarrah.itd.adelaide.edu.au with SMTP (5.61+IDA+MU+NF/UA-5.28)
id AA03949; Fri, 5 Jan 1996 12:54:47 +1030
Message-Id: <[email protected]>
To: J Nevil Brownlee <[email protected]>
Cc: [email protected]
Subject: Re: NeTraMet on Digital Unix?
In-Reply-To: Your message of "Fri, 05 Jan 1996 14:03:26 +1300."
<[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 05 Jan 1996 12:54:47 +1030
From: Mark Prior <[email protected]>
Sender: [email protected]
Precedence: bulk

> Do you know if anyone has ported NeTraMet to Digital Unix (aka OSF/1)?
> I was thinking of having a go but would be very happy to avoid the
> effort if it's been done before :-) I expect at a minimum I will need
> to junk the snmplib provided and use the UCD version instead which is
> already 64 bit clean.

Yes. I did it for a group in Darwin late last year. You shouldn't
have any problems building it using the Makefiles in the /ultrix
directories.

OK I will try that.

Thanks,
Mark.

From netramet-owner Fri Jan 5 16:16:33 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id QAA28658 for netramet-outgoing; Fri, 5 Jan 1996 16:16:31 +1300 (NZDT)
Received: from brolga.cc.uq.oz.au ([email protected] [130.102.128.5]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id QAA28648 for <[email protected]>; Fri, 5 Jan 1996 16:16:29 +1300 (NZDT)
Received: from brolga.cc.uq.oz.au by brolga.cc.uq.oz.au with SMTP (PP);
Fri, 5 Jan 1996 13:16:14 +1000
To: [email protected]
Subject: Re: Installing NeTraMet.
In-reply-to: Your message of "Fri, 05 Jan 1996 13:57:47 +1300." <[email protected]>
Date: Fri, 05 Jan 1996 13:16:10 +1000
From: David Vu <[email protected]>
Message-ID: <"brolga.cc.uq:298810:960105031624"@cc.uq.oz.au>
Sender: [email protected]
Precedence: bulk

Nevil,

:> Also can the PC version run on Windows 3.11 or Win95 with the inbuilt
:> stack? (Rather than Waterloo TCP/IP)
:
: No. At least, not right now. It might be a good thing to build a
: Windows version of the meter which used Winsock or the Windows 95 (I
: won't call it 'win'), but no-one has ported it to that environment yet.

I have been running the meter on a DOS box for a while now and I would
like to make a suggestion. Can some one create a large model meter.exe
that allows it to make use of XMS memory? With version 3.1 the meter
can only make use of 640K conventional RAM in my 4 Meg RAM system.
The maximum number of flows I can set is 6000, but the meter would only
store up to 5098 active flows.

Use of XMS would allow a higher number of maximum flows, and a longer
collection interval. This would make the raw data collected by NeMaC
smaller in size too, good for archiving and processing.

I will try out 3.3beta as soon as I can, hopefully this memory restriction will
be lifted in this version.

Cheers,

David Vu | Prentice Centre
Email [email protected] | The University of Queensland
Phone: +61 7 3365 3941 | Brisbane Q 4072
FAX: +61 7 3365 4477 | Australia

From netramet-owner Mon Jan 8 16:38:47 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id QAA05246 for netramet-outgoing; Mon, 8 Jan 1996 16:36:02 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id QAA05239; Mon, 8 Jan 1996 16:36:01 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id QAA06138; Mon, 8 Jan 1996 16:36:00 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Re: Mangled packet.
To: [email protected] (Rowan Smith)
Date: Mon, 8 Jan 1996 16:36:00 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Rowan Smith" at Dec 19, 95 03:28:04 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello Rowan:

> What does this error mean, when presented by the Manager?
>
> Netramet was running quite happily on my SS20, until I launched a SATAN
> scan on it, then NeMaC printed "Mangled Packet" 11 times down the screen,
> and the Meter switched to the default rule set.

There were bugs in the 3.2 verision of NeTraMet which caused problems
when it received an SNMP GET request for variables it didn't know
about. These caused it to get very confused. The problems are corrected
in the 3.3 beta version (33beta.NeTraMet.tar.gz, or the system-specific
files starting with 33..), please try version 3.3.

The actual error message ('mangled packet') comes from the SNMP decoding
routines. It means 'there's something wrong with the format of this
message.'

> I assume that the default rule set is the emergency set when one isn't
> specified?

Yes.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

From netramet-owner Fri Jan 19 11:59:42 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id LAA22156 for netramet-outgoing; Fri, 19 Jan 1996 11:56:58 +1300 (NZDT)
Received: from homer.is.com.fj (homer.is.com.fj [202.62.124.238]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id LAA22145 for <[email protected]>; Fri, 19 Jan 1996 11:56:51 +1300 (NZDT)
Received: from it.is.com.fj (it.is.com.fj [202.62.124.233]) by homer.is.com.fj (8.7.1/8.7.1) with SMTP id KAA04289 for <[email protected]>; Fri, 19 Jan 1996 10:56:45 +1200 (GMT-12)
Date: Fri, 19 Jan 1996 10:56:45 +1200 (GMT-12)
Message-Id: <[email protected]>
X-Sender: [email protected] (Unverified)
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: [email protected]
From: Ilaitia Tuisawau <[email protected]>
Subject: Basic Queries
Sender: [email protected]
Precedence: bulk

Hello All,

I have finally got NeTraMet doing what I basically want, although I still
seem to have resolution problems. A file (size: 2,557,592 bytes) which I
have FTP'ed from one machine to another on the LAN (and we confirm file size
at both ends), keeps showing up as 2,354,787 bytes. Is this from dropping
packets, or a more subtle problem. Below is the rules file and result after
running the flows data file through fd_filter.

Also, in the save_124 etc, can I check for different size sub-nets, and if
so, in which order? (I would think larger first?)

==================
# 1710, Mon 8 Jan 96
#
# Rule specification file to tally Network IP traffic
# Isolating Class C Networks - 202.62.124/24 [CIDR]
#
# Ilaitia Tuisawau, Internet Services, FPTL
#
# [Based on code by Nevil Brownlee, Auckland University]
#
SET 7
#
RULES
SourcePeerType & 255 = IP: Pushto, IP_pkt;
Null & 0 = 0: Ignore, 0; Ignore other packet types
#
# Tally IP traffic by (Class C) subnet
IP_pkt:
SourcePeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
DestPeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
SourcePeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
DestPeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
SourcePeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
DestPeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
SourcePeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
DestPeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
Null & 0 = 0: Ignore, 0; # Only interested in Internet Services traffic
#
save_124:
# SourcePeerAddress & 255.255.255.255 = 0.0.0.0: PushPkttoAct, Next;
# DestPeerAddress & 255.255.255.255 = 0.0.0.0: CountPkt, 0;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.240 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
save_125:
SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
save_126:
SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
save_127
SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
#
STATISTICS
#
FORMAT FlowRuleSet FlowIndex FirstTime " "
SourcePeerType SourcePeerAddress DestPeerAddress " "
SourceTransType SourceTransAddress DestTransAddress " "
ToPDUs FromPDUs " " ToOctets FromOctets;
#
# end of file
==============

OUTPUT FROM FD_FILTER:
======================
##NeTraMet v3.3: -c120 -r rules.it marge ef0 2600 flows starting at
09:37:15 Thu 11 Jan 96
#Format: sourcepeeraddress destpeeraddress topdurate frompdurate tooctetrate
fromoctetrate
#Time: 09:37:15 Thu 11 Jan 96 marge Flows from 1 to 3290400
#Time: 09:38:00 Thu 11 Jan 96 marge Flows from 3290399 to 3294900
202.62.124.0 198.4.6.0 21 24 1332 1620
202.62.125.64 202.62.124.224 1 1 90 90
202.62.124.224 224.0.0.0 7 0 574 0
202.62.124.224 202.62.124.224 9 0 846 0
128.240.226.0 202.62.124.224 16 20 3241 1483
#Time: 09:40:00 Thu 11 Jan 96 marge Flows from 3294899 to 3306900
202.62.125.64 202.62.124.224 2 2 180 180
202.62.124.224 224.0.0.0 25 0 2050 0
202.62.124.224 202.62.124.224 2141 0 2354787 0
128.240.226.0 202.62.124.224 6 9 866 612
202.62.124.224 140.200.128.0 4 4 310 1565
192.189.54.0 202.62.124.224 7 6 463 626
202.62.124.0 202.62.124.224 39 25 3640 6494
202.62.124.0 146.169.32.0 50 43 4234 17093
146.169.2.0 202.62.124.224 1 1 86 308
202.62.124.0 128.243.40.32 15 12 1172 3197
#Time: 09:42:00 Thu 11 Jan 96 marge Flows from 3306899 to 3318900
202.62.125.64 202.62.124.224 1 1 90 90
202.62.124.224 224.0.0.0 22 0 1804 0
202.62.124.224 202.62.124.224 13 0 1206 0
128.240.226.0 202.62.124.224 0 2 0 120
202.62.124.0 146.169.32.0 201 136 18245 38845
#Time: 09:44:00 Thu 11 Jan 96 marge Flows from 3318899 to 3330900
202.62.125.64 202.62.124.224 2 2 180 180
202.62.124.224 224.0.0.0 26 0 2132 0
202.62.124.224 202.62.124.224 26 0 2284 0
128.240.226.0 202.62.124.224 1 1 60 60
202.62.124.0 202.62.124.224 25 15 1536 2886
202.62.124.0 146.169.32.0 47 47 2820 26962
===============

Your suggestions would be greatly appreciated.

Regards,
Ilaitia.

From netramet-owner Tue Jan 23 12:59:17 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id MAA22884 for netramet-outgoing; Tue, 23 Jan 1996 12:55:38 +1300 (NZDT)
Received: from homer.is.com.fj (homer.is.com.fj [202.62.124.238]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id MAA22871 for <[email protected]>; Tue, 23 Jan 1996 12:55:34 +1300 (NZDT)
Received: from it.is.com.fj (it.is.com.fj [202.62.124.233]) by homer.is.com.fj (8.7.1/8.7.1) with SMTP id LAA03469 for <[email protected]>; Tue, 23 Jan 1996 11:55:30 +1200 (GMT-12)
Date: Tue, 23 Jan 1996 11:55:30 +1200 (GMT-12)
Message-Id: <[email protected]>
X-Sender: [email protected] (Unverified)
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: [email protected]
From: Ilaitia Tuisawau <[email protected]>
Subject: Error in flow file Turnover
Sender: [email protected]
Precedence: bulk

Hello All,

I have got a basic rules file (below) that isolates subnets of each Class C
Addresses. (This helps with our billing). I do collections every hour, a
keepalive every 10min, and a turnover (using NeMaC.flag file) every day with
a cron job. However, while testing I found a problem with the restart - it
just wouldn't do it. Am I doing something seriously wrong? I have read other
user Email from the archives, and found that some other users had similar
problems, but the solution wasn't in there.

At the moment I will probably have to do this manually until this is resolved.

Any assistance would be appreciated.

Regards,
Ilaitia

======================

# 1710, Mon 8 Jan 96
#
# Rule specification file to tally Network IP traffic
# Isolating Class C Networks - 202.62.124/24 [CIDR]
#
# Ilaitia Tuisawau, Internet Services, FPTL
#
# [Based on code by Nevil Brownlee, Auckland University]
#
SET 7
#
RULES
SourcePeerType & 255 = IP: Pushto, IP_pkt;
Null & 0 = 0: Ignore, 0; Ignore other packet types
#
# Tally IP traffic by (Class C) subnet
IP_pkt:
SourcePeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
DestPeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
SourcePeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
DestPeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
SourcePeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
DestPeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
SourcePeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
DestPeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
Null & 0 = 0: Ignore, 0; # Only interested in Internet Services traffic
#
# Subnets of 16 hosts
#
save_124:
SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.240 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
#
# Subnets of 32 hosts
#
save_125:
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
#
save_126:
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
save_127
SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
Null & 0 = 0: Ignore, 0;
#
STATISTICS
#
FORMAT FlowRuleSet FlowIndex FirstTime " "
SourcePeerType SourcePeerAddress DestPeerAddress " "
SourceTransType SourceTransAddress DestTransAddress " "
ToPDUs FromPDUs " " ToOctets FromOctets;
#
# end of file

From netramet-owner Fri Jan 26 06:52:02 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id GAA17636 for netramet-outgoing; Fri, 26 Jan 1996 06:49:44 +1300 (NZDT)
Received: from atos.warman.com.pl (atos.warman.com.pl [148.81.168.6]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id GAA17628 for <[email protected]>; Fri, 26 Jan 1996 06:49:38 +1300 (NZDT)
Received: (from abial@localhost) by atos.warman.com.pl (8.6.9/8.6.12) id SAA03473; Thu, 25 Jan 1996 18:49:30 +0100
Date: Thu, 25 Jan 1996 18:49:30 +0100 (MET)
From: Andrzej Bialecki <[email protected]>
To: [email protected]
Subject: missing statistics in flow files
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hi,

While running NeTraMet on Sun SPARC, I encountered strange phenomenon.
Rule file contains STATISTICS statement, and NeMaC produces flow file
that includes the proper line, but all the variables such as aps, apb,
mps, mpb, lsp, avi, mni are zero. The rest of the line is correct (that
is, it changes). But when I gather data from DOS version of NeTraMet,
everything is ok.

I'd appreciate any suggestions.

Andy

+------------------------------------------------------------------------+
| ANDRZEJ BIALECKI, <[email protected]>, NASK (WARMAN) |
| Research and Academic Network in Poland, Warsaw Area Network |
| phone: (+48 22) 414115, Bartycka 18, 00-716 Warsaw, Poland |
+------------------------------------------------------------------------+

From netramet-owner Mon Jan 29 10:51:44 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id KAA17202 for netramet-outgoing; Mon, 29 Jan 1996 10:49:29 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id KAA17196; Mon, 29 Jan 1996 10:49:27 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id KAA24873; Mon, 29 Jan 1996 10:49:27 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Comments on Rule ile ..
To: [email protected] (Ilaitia Tuisawau)
Date: Mon, 29 Jan 1996 10:49:26 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Ilaitia Tuisawau" at Jan 23, 96 11:55:30 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello All:

Here are some comments on Ilaitia's rule file ..

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

> I have got a basic rules file (below) that isolates subnets of each Class C
> Addresses. (This helps with our billing). I do collections every hour, a
> keepalive every 10min, and a turnover (using NeMaC.flag file) every day with
> a cron job. However, while testing I found a problem with the restart - it
> just wouldn't do it. Am I doing something seriously wrong? I have read other
> user Email from the archives, and found that some other users had similar
> problems, but the solution wasn't in there.
>
> At the moment I will probably have to do this manually until this is resolved.
>
> Any assistance would be appreciated.
>
> Regards,
> Ilaitia
>
>
> # 1710, Mon 8 Jan 96
> #
> # Rule specification file to tally Network IP traffic
> # Isolating Class C Networks - 202.62.124/24 [CIDR]
> #
> # Ilaitia Tuisawau, Internet Services, FPTL
> #
> # [Based on code by Nevil Brownlee, Auckland University]
> #
> SET 7
> #
> RULES
> SourcePeerType & 255 = IP: Pushto, IP_pkt;
> Null & 0 = 0: Ignore, 0; Ignore other packet types
> #
> # Tally IP traffic by (Class C) subnet
> IP_pkt:
> SourcePeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
> DestPeerAddress & 255.255.255.0 = 202.62.124.0: GotoAct, save_124;
> SourcePeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
> DestPeerAddress & 255.255.255.0 = 202.62.125.0: GotoAct, save_125;
> SourcePeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
> DestPeerAddress & 255.255.255.0 = 202.62.126.0: GotoAct, save_126;
> SourcePeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
> DestPeerAddress & 255.255.255.0 = 202.62.127.0: GotoAct, save_127;
> Null & 0 = 0: Ignore, 0; # Only interested in Internet Services traffic

You only need to do these tests in one direction - I suggest you try
it with all the 'DestPeerAddress' rules deleted. The meter tries the
rules in both forward (as received) and backward (source and dest
addresses swapped) directions so it can decide which direction the
packet is travelling. Having tests in both directions gives rise to
unexpected behaviour in rule sets!

> #
> # Subnets of 16 hosts
> #
> save_124:
> SourcePeerAddress & 255.255.255.240 = 0.0.0.0: PushPkttoAct, Next;
> DestPeerAddress & 255.255.255.240 = 0.0.0.0: CountPkt, 0;
> Null & 0 = 0: Ignore, 0;
> #
> # Subnets of 32 hosts
> #
> save_125:
> SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
> DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
> Null & 0 = 0: Ignore, 0;
> #
> save_126:
> SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
> DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
> Null & 0 = 0: Ignore, 0;
> save_127
> SourcePeerAddress & 255.255.255.224 = 0.0.0.0: PushPkttoAct, Next;
> DestPeerAddress & 255.255.255.224 = 0.0.0.0: CountPkt, 0;
> Null & 0 = 0: Ignore, 0;

No problems with the DestPeerAddress rules here though, since they
simply push the addresses from the packet.

> #
> STATISTICS
> #
> FORMAT FlowRuleSet FlowIndex FirstTime " "
> SourcePeerType SourcePeerAddress DestPeerAddress " "
> SourceTransType SourceTransAddress DestTransAddress " "
> ToPDUs FromPDUs " " ToOctets FromOctets;
> #
> # end of file

From netramet-owner Tue Jan 30 09:27:17 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id JAA16498 for netramet-outgoing; Tue, 30 Jan 1996 09:26:08 +1300 (NZDT)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with ESMTP id JAA16488; Tue, 30 Jan 1996 09:26:06 +1300 (NZDT)
Received: (from nevil@localhost) by ccu1.auckland.ac.nz (8.7.3/8.7.3) id JAA05371; Tue, 30 Jan 1996 09:26:03 +1300 (NDT)
From: J Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: Re: missing statistics in flow files
To: [email protected] (Andrzej Bialecki)
Date: Tue, 30 Jan 1996 09:26:02 +1300 (NDT)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Andrzej Bialecki" at Jan 25, 96 06:49:30 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello Andy:

> While running NeTraMet on Sun SPARC, I encountered strange phenomenon.
> Rule file contains STATISTICS statement, and NeMaC produces flow file
> that includes the proper line, but all the variables such as aps, apb,
> mps, mpb, lsp, avi, mni are zero. The rest of the line is correct (that
> is, it changes). But when I gather data from DOS version of NeTraMet,
> everything is ok.
>
> +------------------------------------------------------------------------+
> | ANDRZEJ BIALECKI, <[email protected]>, NASK (WARMAN) |
> | Research and Academic Network in Poland, Warsaw Area Network |
> | phone: (+48 22) 414115, Bartycka 18, 00-716 Warsaw, Poland |
> +------------------------------------------------------------------------+
This is an implementation problem. The PC meter has easy access to the
raw data for all the meter statistics; the Unix version doesn't.
In particular, to determine how much idle processor time there is,
the PC meter creates and processes 'dummy' packets, then uses the
proportion of dummy vs real packets as a good estimate of available
resources. I can't do that on Unix, since other processes need the
processor cycles!

In a future release it may be possible to provide better statistics from
the Unix meter, meantime one just has to use a PC meter.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

From netramet-owner Tue Jan 30 21:06:36 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) id VAA16520 for netramet-outgoing; Tue, 30 Jan 1996 21:04:09 +1300 (NZDT)
Received: from atos.warman.com.pl (atos.warman.com.pl [148.81.168.6]) by mailhost.auckland.ac.nz (8.7.1/8.7.1-ua) with SMTP id VAA16515; Tue, 30 Jan 1996 21:04:03 +1300 (NZDT)
Received: (from abial@localhost) by atos.warman.com.pl (8.6.9/8.6.12) id JAA04296; Tue, 30 Jan 1996 09:04:01 +0100
Date: Tue, 30 Jan 1996 09:04:01 +0100 (MET)
From: Andrzej Bialecki <[email protected]>
To: J Nevil Brownlee <[email protected]>
cc: [email protected]
Subject: Re: missing statistics in flow files
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Tue, 30 Jan 1996, J Nevil Brownlee wrote:

> Hello Andy:
>
> > While running NeTraMet on Sun SPARC, I encountered strange phenomenon.
> > Rule file contains STATISTICS statement, and NeMaC produces flow file
> > that includes the proper line, but all the variables such as aps, apb,
> > mps, mpb, lsp, avi, mni are zero. The rest of the line is correct (that
> > is, it changes). But when I gather data from DOS version of NeTraMet,
> > everything is ok.
>
> This is an implementation problem. The PC meter has easy access to the
> raw data for all the meter statistics; the Unix version doesn't.
> In particular, to determine how much idle processor time there is,
> the PC meter creates and processes 'dummy' packets, then uses the
> proportion of dummy vs real packets as a good estimate of available

The idle time doesn't bother me as much as packet backlog and number of
lost packets - these are really important. My meter runs on a *very* busy
ethernet (wich collects traffic from almost half of the metropolitan
backbone), so I'd better know if the meter looses info, or reaches its
maximum speed of collecting the packets.

> In particular, to determine how much idle processor time there is,
> the PC meter creates and processes 'dummy' packets, then uses the
> proportion of dummy vs real packets as a good estimate of available

I understand this limit. But, is there any way to obtain other variables,
such as number of packets/sec, packets backlog etc., (which seem to be
independent of the 'dummy packets' process)?

Andy

PS. BTW, I managed to compile both NeMaC & NeTraMet under FreeBSD.
May I treat is as a "port"? :)
+------------------------------------------------------------------------+
| ANDRZEJ BIALECKI, <[email protected]>, NASK (WARMAN) |
| Research and Academic Network in Poland, Warsaw Area Network |
| phone: (+48 22) 414115, Bartycka 18, 00-716 Warsaw, Poland |
+------------------------------------------------------------------------+