From netramet-owner Fri Mar 1 06:06:09 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id GAA01632 for netramet-outgoing; Fri, 1 Mar 1996 06:04:58 +1300 (NZDT)
Received: from watson.ibm.com (watson.ibm.com [129.34.139.4]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with SMTP id GAA01627 for <
[email protected]>; Fri, 1 Mar 1996 06:04:56 +1300 (NZDT)
From:
[email protected]
Message-Id: <
[email protected]>
Received: from YKTVMV by watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 0023;
Thu, 29 Feb 96 12:04:38 EST
Date: Thu, 29 Feb 96 11:56:49 EST
To:
[email protected]
Subject: metering problem - Switch to Default Ruleset
Sender:
[email protected]
Precedence: bulk
Reference: Attached note from
[email protected]
The meter automatically switches to the default ruleset when the
the number of active flow records gets too high. (To avoid running
out of available storage space.)
There are several things which you can try. Take a look at the
NeTraMet and NemaC reference for details. The first thing to try
would be to reduce the collection interval. You could also increase
the max number of flows when you start the meter (-f option). You
might also try changing the the high water mark when you start NeMaC
(-h option). There are a few other things you could also try, but
this should be a good start.
Stephen Stibler
>
> I am having some problems collecting stats for more then
> an hour or so (@ 30 and 15 mins collections) from both a PC
> and a SunOs meter.
>
> It works Ok for while, but then it begins using
> the default ruleset 1 instead of my ruleset 2.
> The meter says "Switched to default rules"
>
> Can anyone give some idea what can I do about this ?
>
> Thanks
> Harry.
>
From netramet-owner Tue Mar 5 06:14:03 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id GAA10736 for netramet-outgoing; Tue, 5 Mar 1996 06:10:44 +1300 (NZDT)
Received: from [130.128.2.17] (localtalk17.ietf.interop.net [130.128.2.17]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with SMTP id GAA10723 for <
[email protected]>; Tue, 5 Mar 1996 06:10:38 +1300 (NZDT)
X-Sender:
[email protected]
Message-Id: <v01510102ad60472206ab@[130.216.8.3]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 5 Mar 1996 06:12:32 +1300
To:
[email protected]
From:
[email protected] (Nevil Brownlee)
Subject: NeTraMet 3.3: Features
Sender:
[email protected]
Precedence: bulk
Hello everyone:
Several people have posted notes to the list recently asking what changes
have been made in version 3.3. The version.history file in doc/NeTraMet
contains a careful list of the changes for each release - bugs fixed,
new features introduced. A copy of the changes for 3.3 is attached below.
I've been partiularly interested in other recent postings looking at 'how
do you run two meters on the ame host.' The solution proposed (use a Unix
box, and change the SNMP port number for one of the copies of NeTraMet)
is fine, but there's got to be a better way.
I'm considering changes to allow a single meter to watch more than one
interface. You could tell which interface a packet came from using the
SourceInterface attribute (the value is always 1 right now, it would change
to the SNMP interface number). Would this do what users want?
Again, would it be useful to run more than one rule set at the same time
on a single meter? If you were doing this you could use the RuleSetNbr
attribute to tell which rule set a flow was observed by. There are
performance issues in doing this, of course, but would it be useful?
Of course you could get the same effect now by just finding another host
and running several meters, but this gets harder when you want to run a
'special' rule set for a while at a remote site ..
Cheers, Nevil
NeTraMet Version History
========================
V3.3 8 Nov 95 nm_rc: a remote console for NeTraMet
* nm_rc (in the /manager/ directory) combines
NeMaC and fd_filter to provide a simple
display of 'live' flow data from a single
meter sorted into traffic order, busiest
flows first. (Briefly described in
doc/NeTraMet/rc-man.txt; a 'proper'
manual will be ready real soon now).
New example rule files (in examples/ directory)
* rules.two-adj-routers: Meters traffic through
and between two routers, specified by their
adjacent (Ethernet) addresses.
* rules.two-ip-groups: Meters traffic through
and between two groups of IP networks,
specified in a subroutine by their peer
(IP) network numbers.
* rules.rc.pr+bc: Classifies traffic by protocol,
and looks at Ethernet broadcast packets in
detail.
* rules.rc.ports: Classifies IP, IPX and
EtherTalk traffic by port.
* rules.rc.ip: Classifies IP traffic by IP
address and port.
* rules.rc.ipx: Classifies IPX traffic by IPX
address and port.
New options for NeMaC:
* -x Don't write anything to the meter.
Use this if you use a second copy of NeMaC
(or nm_rc) to collect from a single meter.
Allowing two collectors to write allows
meter to recover flows after they've been
collected by only one of the two meters.
* -P For each collection flow data files will
be opened, flow data appended to them,
then they will be closed. If you move or
rename a closed data file a new one (with
the old name) will be created by the next
collection. This is an alternative to using
the old 'flag file' method.
* -p Open-append-close to NeMaC's log file as
well as to flow data files. Superset of -P
* -F name Specifies name of flow data file.
* -L name Specifies name of NeMaC log file.
* -c 0 Tells NeMaC to download rule file(s) to
the meter, then exit without collecting
and flow data.
* default values in NeMaC configuration file.
Since NeMaC command-line parameters can
displayed by any user via the Unix ps
command, you should specify write community
names in a configuration file. Each record
in a configuration file specifies meter
parameters which override the default values
or the ones specified on the NeMaC command
line. NeMaC now uses the meter name 'default'
to indicate that this record contains default
values for following records. For example ..
./NeMaC -f nm-config
tells NeMaC to read the file 'config,' which
contains the following records ..
-c900 -p -rrules.mynet default
meter1 write-1
meter2 write-2
-c300 meter3 write-3
This starts three meters; all run rules.mynet,
and append to their flow data files. meter3
is collected every 5 minutes, meter1 and meter2
are collected every 15 minutes.
Changes to NeTraMet options:
* PC & Unix meter: Option settings ..
Options no longer need spaces to separate
them from their arguments, e.g. -ile0
* PC & Unix meter: Read Communities ..
Only one read community can be specified.
Bug fixes:
* PC meter: -r option (to specify read community)
crashed meter.
* Solaris meter: FDDI interface didn't work.
pcap-dlpi.c didn't bind the dlpi stream
correctly. Fixed by new version of
pcap-dlpi.c from lbl (included in src/meter)
* Unix meter: pcap socket open didn't specify
a timeout; 250ms now specified. This prevents
Solaris from busy-waiting; allowing NeTraMet
to be run as a backround process.
* Linux meter: alters the timeout value of a
select() statement (this is a BSD feature).
Timeout value now reset to 250ms after each
select(); this prevents linux from
busy-waiting, allowing NeTraMet to be run
as a background process.
8 Sep 95 Bug fixes as follows:
* snmplib/asn1.c changed to get integers correctly
out of SNMP packets. Now works correctly
for OSF/1.
* PC meter: small memory model memcpy used to copy
strings from far memory. Now uses qmove.
This caused snmp network managers to get
garbage when GETting addresses from the flow
table.
* Bug in meter/met_vars overwrote part of the
SNMP object tables when responding to a
request for a non-existent MIB object. This
showed up as 'meter looses rule table when
a network manager such as OpenView probed
a meter's MIB.
* Ultrix Makefiles corrected. These can now be
used to build meter and manager for DEC OSF/1.
4 Jul 95 New options for NeMaC:
* -a sss Collections will be made with a time lag
of sss seconds. For example, 10-minute
collections with 30-second time lag will occur
at 1000'30, 1010'30, etc.
* -w nnn Specifies doWnload level. nnn=0 (the
default) downloads rules on collector startup
and after a meter restart. nnn=1 downloads only
after a meter restart, and nnn=2 never downloads.
Bug Fixes:
* PC NeTraMet returned bad string for interface name.
NeTraMet fixed to return 'eth0,' NeMaC modified
to check the string, and use 'eth0' instead of
a bad string (from an old meter).
+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| FAX: 64 9 373 7425 ITSS, The University of Auckland |
| Phone: 64 9 373 7599 x8941 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------M
From netramet-owner Thu Mar 7 22:43:21 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id WAA27728 for netramet-outgoing; Thu, 7 Mar 1996 22:40:30 +1300 (NZDT)
Received: from atos.warman.com.pl (atos.warman.com.pl [148.81.168.6]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with SMTP id WAA27721; Thu, 7 Mar 1996 22:40:09 +1300 (NZDT)
Received: (from abial@localhost) by atos.warman.com.pl (8.6.9/8.6.12) id KAA00973; Thu, 7 Mar 1996 10:39:53 +0100
Date: Thu, 7 Mar 1996 10:39:52 +0100 (MET)
From: Andrzej Bialecki <
[email protected]>
X-Sender:
[email protected]
To: Nevil Brownlee <
[email protected]>
cc:
[email protected]
Subject: Re: NeTraMet 3.3: Features
In-Reply-To: <v01510102ad60472206ab@[130.216.8.3]>
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender:
[email protected]
Precedence: bulk
On Tue, 5 Mar 1996, Nevil Brownlee wrote:
>
> I'm considering changes to allow a single meter to watch more than one
> interface. You could tell which interface a packet came from using the
> SourceInterface attribute (the value is always 1 right now, it would change
> to the SNMP interface number). Would this do what users want?
As far as concerning my situation - yes, this would help (no need to
change the sources).
> Again, would it be useful to run more than one rule set at the same time
> on a single meter? If you were doing this you could use the RuleSetNbr
> attribute to tell which rule set a flow was observed by. There are
> performance issues in doing this, of course, but would it be useful?
> Of course you could get the same effect now by just finding another host
> and running several meters, but this gets harder when you want to run a
> 'special' rule set for a while at a remote site ..
Definitely YES! E.g. I could collect detailed data with one rule set,
while at the same time doing overall statistics with the second one. Or,
better yet, I could collect traffic by host address, and at the same time
collect data by IP port - combined number of flows created by those two
sets would be infinitely less than the number of flows created by rule set
analyzing all of the attributes at the same time.
By the way: thanks, Nevil, for developing this software. This is really
valuable and handy tool.
Andy
+------------------------------------------------------------------------+
| ANDRZEJ BIALECKI, <
[email protected]>, NASK (WARMAN) |
| Research and Academic Network in Poland, Warsaw Area Network |
| phone: (+48 22) 414115, Bartycka 18, 00-716 Warsaw, Poland |
+------------------------------------------------------------------------+
From netramet-owner Fri Mar 15 14:24:58 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id OAA14408 for netramet-outgoing; Fri, 15 Mar 1996 14:21:47 +1300 (NZDT)
Received: from nmdx01.ncom.nt.gov.au ([150.191.80.2]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with ESMTP id OAA14397 for <
[email protected]>; Fri, 15 Mar 1996 14:21:43 +1300 (NZDT)
From:
[email protected]
Received: from LMS.NCOM.NT.GOV.AU by aarnet.ncom.nt.gov.au (PMDF V5.0-4 #4927)
id <
[email protected]> for
[email protected];
Fri, 15 Mar 1996 10:49:51 CST+930
Date: Fri, 15 Mar 1996 10:54:28 +0930
Subject: HOST : Unreachable
To: " - (052)netramet(a)auckland.ac.nz" <
[email protected]>
Message-id: <0050000001191799000002*@MHS.ncom.nt.gov.au>
Content-transfer-encoding: 7BIT
X400-Content-type: P2-1988 (22)
X400-MTS-identifier: [/PRMD=NTTGOV/ADMD=TELEMEMO/C=AU/;0050000001191799000002]
X400-Originator:
[email protected]
X400-Recipients:
[email protected]
Sender:
[email protected]
Precedence: bulk
Dear Nevil,
I have taken over David Hoey's Netramet project for the Northern
Territory Government, at the moment we are using a Digital DECpc 486
machine with an DE-200 ethernet card running the latest Netramet
version 3.3.
From Time-to-Time we received an ICMP: Host unreachable or c:\Netramet
: unreachable on the pc, we have discussed this problem with our
communications people and they claim that the comm. systems are
running fine.
Here is the Autoexec.bat currently running on the Digital PC :
@ECHO OFF
PROMPT $p$g
PATH C:\;C:\DOS;C:\WINDOWS;C:\PW;C:\TEAMLINK LH SHARE goto %config%
:netramet
cd netramet
start.bat
goto end
:normal
LH DOSKEY
SET TEMP=C:\TEMP
SET TMP=C:\TEMP
SET DIRCMD=/O:GN
LH C:\DOS\SMARTDRV.EXE
goto end
:end
Have any knowledge of other sites experiencing similar problems, or
can you shed any light on the problem. If so, can you please inform
us whether you believe it is hardware or the software causing the
problem and how we can rectify this problem.
Ken Ko
[email protected]
From netramet-owner Sat Mar 16 09:24:27 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id JAA12777 for netramet-outgoing; Sat, 16 Mar 1996 09:23:08 +1300 (NZDT)
Received: from sol.ConnectDE.NET (Sol.ConnectDE.NET [194.112.66.1]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with ESMTP id JAA12767 for <
[email protected]>; Sat, 16 Mar 1996 09:22:59 +1300 (NZDT)
Received: from rigel.ConnectDE.NET (Rigel.ConnectDE.NET [194.112.66.39]) by sol.ConnectDE.NET (8.7.3/8.7.3) with ESMTP id VAA13415 for <
[email protected]>; Fri, 15 Mar 1996 21:22:54 +0100 (MET)
Received: from Bora.Strawberry.COM (
[email protected] [194.112.66.40]) by rigel.ConnectDE.NET (8.7.3/8.7.3) with ESMTP id VAA12568 for <
[email protected]>; Fri, 15 Mar 1996 21:22:52 +0100 (MET)
Received: from scirocco.strawberry.com (
[email protected] [194.49.60.4]) by Bora.Strawberry.COM (8.7.3/8.7.3) with ESMTP id VAA01128 for <
[email protected]>; Thu, 14 Mar 1996 21:19:30 +0100
Received: from boreas.strawberry.com (boreas.strawberry.com [194.49.60.49]) by scirocco.strawberry.com (8.7.3/8.7.3) with ESMTP id VAA22092 for <
[email protected]>; Fri, 15 Mar 1996 21:32:07 +0100
Received: (from jens@localhost) by boreas.strawberry.com (8.7.3/8.7.3) id VAA02661 for
[email protected]; Fri, 15 Mar 1996 21:18:58 +0100 (MET)
From: Jens Hamisch <
[email protected]>
Message-Id: <
[email protected]>
Subject: FDDI question
To:
[email protected]
Date: Fri, 15 Mar 1996 21:18:57 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Hi all!
I've installed NeTraMet 3.3 on a Solaris 2.3 server connected to both,
a FDDI and a ethernet interface.
I've been able to listen to all traffic on the ethernet port and account
this, but whenever it tries to wach the FDDI port, NeTraMet doesn't count
anything.
I had a closer look at this behavior and figured out, that there's a select(2)
system call waiting for packets on the port which never returns.
Is anybody out there with experience on metering FDDI traffic? Did you see this
behavior, too? Is there some prerequisite, a workaround or a bugfix?
Ciao
-- Jens
--------------------------------------------------------------------------------
/
+##+|##+ STRAWBERRY Jens Hamisch
+v#+v v##+ EDV-Systeme GmbH Managing director
/ v v\v
| . . . | Brauneckweg 2 Car (Voice): (+49 172) 81 04 162
| . | D-82549 Koenigsdorf Voice: (+49 8179) 5278 Q, Fax
| . | Email:
[email protected]
\ . / Tel./Fax: (+49 8179) 5278
[email protected]
\____/
[email protected] Home (Email):
[email protected]
From netramet-owner Tue Mar 19 16:39:31 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id QAA14924 for netramet-outgoing; Tue, 19 Mar 1996 16:36:20 +1200 (NZST)
Received: from itc.gov.fj ([202.62.126.34]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with ESMTP id QAA14919 for <
[email protected]>; Tue, 19 Mar 1996 16:36:16 +1200 (NZST)
Received: by coconet.itc.gov.fj via suspension id <21764>; Mon, 30 Jan 1995 16:34:33 +1200
Received: by coconet.itc.gov.fj id <21761>; Mon, 30 Jan 1995 16:33:14 +1200
From: Leone Pedro <
[email protected]>
To: "'
[email protected]'" <
[email protected]>
Subject: Running Netramet
Date: Wed, 20 Mar 1996 16:33:08 +1200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <
[email protected]>
Sender:
[email protected]
Precedence: bulk
Hi there,
We have just downloaded the Netramet program and upon executing it we keep coming up with an error message saying
" No Packet driver" program halted.
How or where can we get hold of these packet driver.
We are running this from Win 95
my address is
[email protected]
Your help will be very much appreciated.
Regards
Pedro
From netramet-owner Tue Mar 19 22:56:05 1996
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) id WAA25162 for netramet-outgoing; Tue, 19 Mar 1996 22:55:35 +1200 (NZST)
Received: from dumont.upr.clu.edu (dumont.UPR.CLU.EDU [136.145.57.11]) by mailhost.auckland.ac.nz (8.7.3/8.7.3-ua) with SMTP id WAA25155 for <
[email protected]>; Tue, 19 Mar 1996 22:55:31 +1200 (NZST)
Received: from exodo.ceenet.uprm (exodo.UPR.CLU.EDU) by dumont.upr.clu.edu (5.0/SMI-SVR4)
id AA13098; Tue, 19 Mar 1996 01:31:01 +0500
Received: from anibalpc.upr.clu.edu by exodo.ceenet.uprm (SMI-8.6/SMI-SVR4)
id GAA29443; Tue, 19 Mar 1996 06:55:22 +0400
Received: by anibalpc.upr.clu.edu with Microsoft Mail
id <
[email protected]>; Wed, 20 Mar 1996 07:08:51 -0400
Message-Id: <
[email protected]>
From: Anibal Morales <
[email protected]>
To: "'
[email protected]'" <
[email protected]>
Subject: NeTraMet and HTTP
Date: Wed, 20 Mar 1996 07:08:50 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender:
[email protected]
Precedence: bulk
Hi all. I would like to see an example of how to use
NeTraMet to meter HTTP usage, totaling by IP
address... if that is possible.
Thanks,
Anibal Morales
Network Administrator
