From netramet-owner Sat Mar 8 02:58:47 1997

From netramet-owner Sat Mar 8 02:58:47 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id CAA26216 for netramet-outgoing; Sat, 8 Mar 1997 02:37:23 +1300 (NZDT)
Received: from csu-e.csuohio.edu (csu-e.csuohio.edu [137.148.5.27]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id CAA26211 for <[email protected]>; Sat, 8 Mar 1997 02:37:20 +1300 (NZDT)
Received: from athena.csuohio.edu (athena.csuohio.edu [137.148.5.13]) by csu-e.csuohio.edu (8.6.12/8.6.12) with SMTP id IAA00599 for <[email protected]>; Fri, 7 Mar 1997 08:42:28 -0500
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Fri, 07 Mar 1997 08:37:18 -0500
To: [email protected]
From: "Matthew B. Thomson" <[email protected]>
Subject: Porting NeTraMet
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: [email protected]
Precedence: bulk

Has anyone successfully ported NeTraMet to the NeXT operating system?

Thanks,
Matt
----------------------------------------------------------------
- Matthew B. Thomson -
- Network Support Specialist -

- Cleveland State University Information Services & Technology -
- [email protected] - 216-687-9217 - Fax 216-687-9200 -
----------------------------------------------------------------

From netramet-owner Sun Mar 9 09:05:57 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id IAA01907 for netramet-outgoing; Sun, 9 Mar 1997 08:45:08 +1300 (NZDT)
Received: from www.ifqsc.sc.usp.br (www.ifqsc.sc.usp.br [143.107.229.70]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id IAA01893 for <[email protected]>; Sun, 9 Mar 1997 08:44:59 +1300 (NZDT)
Received: (from sergio@localhost) by www.ifqsc.sc.usp.br (8.6.12/8.6.12) id QAA15573; Sat, 8 Mar 1997 16:44:00 GMT
Date: Sat, 8 Mar 1997 16:43:59 +0000 ()
From: Sergio Henrique Oliveira Pereira <[email protected]>
To: Lista Netramet <[email protected]>
Subject: Capturing SYN
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello,
I need capture the bit (SYN), of the TCP header, anybody help-me ??

__
+|oo|+
+|oo|+ Instituto de Fisica de Sao Carlos - USP
|| Departamento de Fisica e Informatica
|| Grupo de Instrumentacao e Eletronica
||
||
|| E-mail : [email protected]
_ || _ [email protected]
\\_||_//
| [] |
| || | http://www.ifqsc.sc.usp.br/hpp/sergio/sergio.html
/ [] \
\______/

From netramet-owner Thu Mar 13 09:22:26 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id IAA21109 for netramet-outgoing; Thu, 13 Mar 1997 08:58:09 +1300 (NZDT)
Received: from akira.ucpel.tche.br (akira.ucpel.tche.br [200.17.82.33]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id IAA21100 for <[email protected]>; Thu, 13 Mar 1997 08:58:02 +1300 (NZDT)
Received: from localhost by akira.ucpel.tche.br (AIX 3.2/UCB 5.64/4.03)
id AA23983; Wed, 12 Mar 1997 17:01:29 -0300
Date: Wed, 12 Mar 1997 17:01:29 -0300 (GRNLNDST)
From: Alexandre Timm Vieira <[email protected]>
To: [email protected]
Subject: Converting Flow Files
In-Reply-To: <[email protected]>
Message-Id: <[email protected]>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello,

I'm a student at the Catholic University of Pelotas, in the south of Brazil.
I've been using Netramet with success for around a month, but still in an
experimental character, and I use the provided rules with a few
modifications.

I'd like to know the following: How is the people on this list converting
the flow files to a friendlier format? I've already used FD_FILTER and
FD_EXTRACT to turn the data into a simpler format. Is there any tool to
convert the data to HTML? Like the site CSIRO - Netramet Stats
http://www.adl.dmt.csiro.au/unix/netramet.html ?

I use Netramet/Nemac 3.4 on an Intel Pentium 166MHz with 64MB of RAM
and RedHat Linux 4.0.

Thanks in advance for any help on tools and scripts
to convert flow data files.

) \ / (
/|\ )\_/( /|\
* / | \ (/\|/\) / | \ *
|`.____________________/__|__o____\`|'/___o__|__\___________________.'|
| '^` \|/ '^` |
| Alexandre Vieira [email protected] |
| Pelotas - RS - Brasil [email protected] |
| http://akira.ucpel.tche.br/~xandi Sysop NutecNet Pelotas |
| Analise de Sistemas Universidade Catolica Pelotas |
| Network Admin - Linux Rulez |
| ._________________________________________________________________. |
|' l /\ / \\ \ /\ l `|
* l / V )) V \ l *
l/ // \I

From netramet-owner Thu Mar 13 23:49:08 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id XAA22162 for netramet-outgoing; Thu, 13 Mar 1997 23:39:33 +1300 (NZDT)
Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id XAA22034 for <[email protected]>; Thu, 13 Mar 1997 23:38:43 +1300 (NZDT)
Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA14050
(5.67b/IDA-1.5 for <[email protected]>); Thu, 13 Mar 1997 11:35:38 +0100
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_858253114==_"
Date: Thu, 13 Mar 1997 11:38:34 +0000
To: Alexandre Timm Vieira <[email protected]>, [email protected]
From: Marc van Selm <[email protected]>
Subject: Re: Converting Flow Files
X-Attachments: D:\PROGRAM\NM2WEB.C; D:\PROGRAM\NM_RC.C;
D:\WINDOWS\TOOLS\WPEDIT\NM_DISPL; D:\PROGRAM\NEMAC.SHT;
Sender: [email protected]
Precedence: bulk

--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"

At 05:01 PM 3/12/97 -0300, Alexandre Timm Vieira wrote:
>
>Hello,
>
>I'm a student at the Catholic University of Pelotas, in the south of Brazil.
>I've been using Netramet with success for around a month, but still in an
>experimental character, and I use the provided rules with a few
>modifications.
>
>I'd like to know the following: How is the people on this list converting
>the flow files to a friendlier format? I've already used FD_FILTER and
>FD_EXTRACT to turn the data into a simpler format. Is there any tool to
>convert the data to HTML? Like the site CSIRO - Netramet Stats
>http://www.adl.dmt.csiro.au/unix/netramet.html ?

I have a few tools. I'll attach the sources (mime)

They are in C-code. I hope this isn't a problem. You'll have to make some
modifications to it to tune it to your needs (for example get rid of the
references to me on the web-page)

I use nm_rc to display a top 15 (I modified nm_rc to display a top-15 and
not a top-10) of internet-users. You can use your own rules-file to get the
kind of info you like. The tools should support other formats but this isn't
tested.

This data is piped to nm2web. nm2web prints the trace on the screen of my
management machine and also creates a web-page. You can get rid of the
screen-copy by deleting the appropriate printf in nm2web.c

The command-line should look something like this: nm_rc -c 120 -r ... | nm2web

The trace is updated by nm_rc and saved by nm2web as a server-parsed
include-file. The main html-file looks like nemac.sht (rename to
nemac.shtml, sorry 8.3 chars) The webserver includes the trace-file
on-the-fly into nemac.shtml (your server must support server-parsed html)

To get this working you have to make a small modification in nm_rc.
Basically you have to add a fflush(stdout) in the file nm_rc.c, line 695.
This flush empties the pipe-buffer to nm2web. If you don't do this, data is
written to the pipe-buffer and will stay there until there is enough data.
So resulting in no updates for a long time and when the buffer is full
you'll get them as bulk...

I also made some modifications to nm_display.c (modifications attached as
nm_displ) so it shows more protocols (some protocols we used were missing
and were displayed as a number) If you want to add more just look into the
nm_display.c file and my nm_displ file how it is done. You may need RFC1700
here)

The documentation is poor, on diff-files for the modifications I've made and
support is not there but if you know about C and html you'll find out how to
get it to work. If some-one likes to create some path-files so it can be
installed more easily, be my guest. Just send me a copy...)

Good luck.

Marc

--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="NM2WEB.C"

/* File: nm2web.c
* Builds a web interface from data forwarded via stdinput
* (c) Marc van Selm <[email protected]>
*, NATO C3 Agency, Communication Systems Division
* 17 December 1996
* Copyright: Not for external distribution without prior aproval.
*/

#include <stdio.h>
#include <signal.h>

#define BUFLEN 256
#define ZEROIP "Extern"

char nemacfile[129];
char flowfile[129];

void create_mainpage(char *lanname)
{ FILE *fp;
char fname[129];
sprintf(fname, "nemac/%s", nemacfile);
if ( !( fp=fopen(fname, "w") ) )
{ perror(fname);
exit(1);
}
fprintf(fp, "<html>\n"
"<META HTTP-EQUIV=REFRESH CONTENT=\"60; URL=%s\">"
"<title>NeMaC</title>\n"
"<body bgcolor=\"ffffff\">\n"
"<center>\n"
"<h4>NeTraMet Accounting</h4>\n"
"Accounting is running on: %s\n</center>"
"<hr><br>\n"
"<center><TABLE width=95%% border=1 bgcolor=\"e0ffe0\">\n"
"\n"
"</TABLE></center>\n"
"<br><br>Get <a href=\"info.html\">more info</a>...<br>\n"
/* "<br><br>Experimental data: ignore!<br><br>" */
"<hr>\n<font size=2>\n"
"<i>NeMaC Web, Dec 1996, NC3A, CSD, "
"<a href=\"mailto:[email protected]\">Marc van Selm</a></i>"
"</body>\n</html>",
nemacfile, lanname, flowfile);
fclose(fp);
}

void addline(char *buf, char *hline)
{ FILE *fp;
char fname[129];
int nr, cnt, rt;
char ent[15*20];

sprintf(fname, "nemac/%s", flowfile);
if ( !( fp=fopen(fname, "a") ) )
{ perror(fname);
exit(2);
}
if (buf[0]=='#')
{ buf[strlen(buf)-4]=0;
rt=fprintf(fp, "<caption>%s</caption>\n", buf+5);
if (rt<0)
{ perror(fname);
exit(3);
}
rt=fprintf(fp, "%s", hline);
}
else
{ nr=sscanf(buf, " %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s",
ent, ent+20, ent+40, ent+60, ent+80, ent+100, ent+120,
ent+140, ent+160, ent+180, ent+200, ent+220, ent+240,
ent+260, ent+280);

rt=fprintf(fp, "<TR>");
if (rt<0)
{ perror(fname);
exi|(;);
}
for (cnt=0; cnt<nr; ++cnt)
{ if ( !strcmp(ent+cnt*20, "0.0.0.0") )
rt=fprintf(fp, "<TD>%s</TD>", ZEROIP);
else
rt=fprintf(fp, "<TD>%s</TD>", ent+cnt*20);
if (rt<0)
{ perror(fname);
exit(3);
}
}
rt=fprintf(fp, "</TR>\n");
if (rt<0)
{ perror(fname);
exit(3);
}

}
fclose(fp);
}

/* print the not running page */
void termsighandler()
{ FILE *fp;
char fname[129];
sprintf(fname, "nemac/%s", nemacfile);
if ( !( fp=fopen(fname, "w") ) )
{ perror(fname);
exit(1);
}
fprintf(fp, "<html>\n"
"<META HTTP-EQUIV=REFRESH CONTENT=\"60; URL=%s\">"
"<title>NeMaC</title>\n"
"<body bgcolor=\"ffffff\">\n"
"<center>\n"
"<h4>NeTraMet Accounting</h4>\n"
"<br><br>\nAccounting is currently not running!\n</center>\n"
"<br><br>\n<hr>\n<font size=2>\n"
"<i>NeMaC Web, Oct 1996, NC3A, CSD, "
"<a href=\"mailto:[email protected]\">Marc van Selm</a></i>"
"</body>\n</html>",
nemacfile);
fclose(fp);
unlink(flowfile);

exit(0);
}

void headline(char *buf, char *line)
{ char ent[15*20];
int nr, cnt;

nr=sscanf(buf, " %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s",
ent, ent+20, ent+40, ent+60, ent+80, ent+100, ent+120,
ent+140, ent+160, ent+180, ent+200, ent+220, ent+240,
ent+260, ent+280);

strcpy(line, "<TR><TD>%</TD>");
for (cnt=0; cnt<nr; ++cnt)
{ if ( !strcmp(ent+cnt*20, "sourcepeeraddress") )
strcat(line, "<TD>From</TD>");
if ( !strcmp(ent+cnt*20, "destpeeraddress") )
strcat(line, "<TD>To</TD>");
if ( !strcmp(ent+cnt*20, "sourcepeertype") )
strcat(line, "<TD>L3</TD>");
if ( !strcmp(ent+cnt*20, "sourcetranstype") )
strcat(line, "<TD>L4</TD>");
if ( !strcmp(ent+cnt*20, "sourcetransaddress") )
strcat(line, "<TD>Port</TD>");
if ( !strcmp(ent+cnt*20, "desttransaddress") )
strcat(line, "<TD>Port</TD>");
if ( !strcmp(ent+cnt*20, "topdus") )
strcat(line, "<TD>Rpkt</TD>");
if ( !strcmp(ent+cnt*20, "tooctets") )
strcat(line, "<TD>Rbyte</TD>");
if ( !strcmp(ent+cnt*20, "frompdus") )
strcat(line, "<TD>Xpkt</TD>");
if ( !strcmp(ent+cnt*20, "fromoctets") )
strcat(line, "<TD>Xbyte</TD>");
}
strcat(line, "</TR>\n");
}

void main(int argc, char *argv[])
{ char buf[BUFLEN], strng[BUFLEN], hline[256];
char fname[129];

if (argc!=3)
{ fprintf(stderr, "Format: %s lanname\n", argv[0]);
exit(0);
}

/* create main-filename */
sprintf(nemacfile, "nemac.%s.shtml", argv[2]);
sprintf(flowfile, "current_trace.%s", argv[2]);
sprintf(fname, "nemac/%s", flowfile);

/* set SIGTERM handler */
if ( signal(SIGTERM, SIG_IGN) != SIG_IGN )
signal(SIGTERM, termsighandler);
if ( signal(SIGINT, SIG_IGN) != SIG_IGN )
signal(SIGINT, termsighandler);

/* read stdinput */
while ( fgets(buf, BUFLEN, stdin) )
{ printf("%s", buf);
sscanf(buf, " %s", strng);
/* printf("strng=>>%s<<\n", strng); */
if ( !strcmp(strng, "#Format:") )
{ create_mainpage(argv[1]);
headline(buf, hline);
}
else if ( !strcmp(strng, "#---") )
{ unlink(fname);
addline(buf, hline);
}
else
addline(buf, hline);
}

}

--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="NM_RC.C"

/* 1400, Sun 26 May 96

NM_RC.C: A simple remote display console for NeTraMet

Copyright (C) 1992-1996 by Nevil Brownlee,
ITSS Technology Development, The University of Auckland */

/* a few minor patches:
Number of flows is now 15
More protocols are known
stdout is now flushed after displaying. Now you can pipe the
output to another tool and get instand responce.
Marc van Selm <[email protected]>
Feb 24, 1997
*/

#define MAXNRFLOWS 15 /* maximum number of flows displayed */

#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <sys/time.h>
#include <errno.h>

#include <string.h>
#include <malloc.h>

#include "ausnmp.h"

#include "asn1.h"
#include "snmp.h"
#include "snmpimpl.h"
#include "snmpapi.h"
#include "snmpclnt.h"
#include "mib.h"

#define EXTERN
#include "nmc.h"

unsigned int max_flows;
struct flow_data { /* Sample-to-sample differences */
unsigned short ruleset;
unsigned int starttime,
upbci, /* To byte rate */
dnbci, /* From byte rate */
uppci, /* To packet rate */
dnpci; /* From packet rate */
};
struct flow_data *flow_table, curr_rate, total_rate;

int nd_flows; /* Nbr of flows to display */
struct display_data {
unsigned int traffic;
struct flow_info *fi;
};
struct flow_info *dflowi;
struct display_data *dflows;

char show_names;

char rfname[NAME_LN], meter[NAME_LN], community[NAME_LN];
unsigned int def_sync, def_sample_interval, def_lag,
def_download, def_no_write_meter,
def_GCIntervalReqd, def_InactivityTime,
def_HighWaterMark, def_FloodMark;
int no_user_format, plain_format;

int sort_cmp(const void *a, const void *b)
{
if (((struct display_data *)a)->traffic < /* Reverse numeric order */
((struct display_data *)b)->traffic) return 1;
else if (((struct display_data *)a)->traffic ==
((struct display_data *)b)->traffic) return 0;
else return -1;
}

void no_write_warning(struct meter_status *ms)
{
if (ms->no_write_warned) return;
fprintf(stdout,"Community %s doesn't have write access to meter %s!\n"
" Collections won't trigger recovery of idle flows <<<\n",
ms->community,ms->name);
ms->no_write_warned = 1;
}

void add_event(struct calendar_entry *entry, struct meter_status *ms)
{
struct calendar_entry *cp, *lcp;
entry->next_event = ms->next_event; entry->ms = ms;
entry->next = NULL;
if (calendar == NULL) { /* First entry in queue */
calendar = entry;
return;
}
lcp = NULL; cp = calendar;
do {
if (ms->next_event < cp->next_event) {
entry->next = cp;
if (lcp == NULL) calendar = entry; /* Add to head */
else lcp->next = entry; /* Link into queue */
return;
}
lcp = cp; cp = cp->next;
} while (cp != NULL);
lcp->next = entry; /* Add to tail */
}

int create_meter(struct meter_status *ms, time_t first_t)
{
struct calendar_entry *entry;
int a,b,n, syntax;

if (ms->name[0] == '\0' || ms->community[0] == '\0') {
fprintf(stdout,"Meter name or community not specified !!!\n");
return 0;
}
if (testing) printf("About to create_meter name=%s, community=%s\n",
ms->name, ms->community);

if (!start_snmp_session(ms)) return 0;

ms->status = MT_MANAGE;
if (meter_info(ms)) {
ms->status |= (MT_UP | MT_INFO);
ms->next_event = ms->next_sample =
first_t; /* Get first sample immediately */
entry = (struct calendar_entry *)calloc(
sizeof(struct calendar_entry), 1);
add_event(entry,ms);
if (testing)
printf("t=%u, next_event=%u, next_keepalive=%u, next_sample=%u\n",
first_t, ms->next_event, ms->next_keepalive, ms->next_sample);
if (!meter_is_current(ms)) {
fprintf(stdout,"Warning: meter %s (version %s) not same as nm_rc!\n",
ms->name,ms->version);
}
if (ms->MaxFlows > max_flows) max_flows = ms->MaxFlows;
}
else {
fprintf(stdout,"Couldn't get meter info from %s!\n"
" Does community %s have read or write access to the meter?\n",
ms->name,ms->community);
return 0;
}

set_meter_params(ms);

syntax = ms->download_level != 0; /* 0 => initial download of rules */
if (ms->rulefile[0] == '\0') /* No rule file specified */
ms->ruleset = ms->CurrentRuleSet;
else { /* Download the rules we want to use */
parse_rulefile(ms,listrules,syntax,0,0); /* Initial load */
if (rferrors != 0) return 0;
}

/* Make sure we get the info we need to select 'top n' flows */
ms->required[FTFLOWINDEX] =
ms->required[FTRULESET] = ms->required[FTFIRSTTIME] =
ms->required[FTUPOCTETS] = ms->required[FTDOWNOCTETS] =
ms->required[FTUPPDUS] = ms->required[FTDOWNPDUS] =
ms->required[FTLOWPEERTYPE] = 1;

if (no_user_format = ms->format[0] == 0) { /* No format specified */
ms->format[0] = FTFIRSTTIME;
ms->format[1] = FTUPPDUS;
ms->format[2] = FTDOWNPDUS;
ms->format[3] = FTUPOCTETS;
ms->format[4] = FTDOWNOCTETS;
ms->format[5] = FTLOWPEERTYPE;
ms->format[6] = FTLOWPEERADDRESS; ms->required[FTLOWPEERADDRESS] = 1;
ms->format[7] = FTHIPEERADDRESS; ms->required[FTHIPEERADDRESS] = 1;
ms->format[8] = FTLOWDETAILTYPE; ms->required[FTLOWDETAILTYPE] = 1;
ms->format[9] = FTLOWDETAILADDRESS; ms->required[FTLOWDETAILADDRESS] = 1;
ms->format[10] = FTHIDETAILADDRESS; ms->required[FTHIDETAILADDRESS] = 1;
ms->format[11] = 0;
for (a = 0; a != 13; ++a) ms->separator[a] = " ";
}

++nmeters;

if (!ms->write_OK) no_write_warning(ms);

ms->OurLastCollectTime = 1L;
ms->snmp_delay = 90; /* Wait 90 ms after an snmp request */

fprintf(stdout, "#Format: ");
if ((n = ms->format[a = 0]) != 0) for (;;) {
for (b = 1; attribs[b].index != n; ++b) ;
fprintf(stdout,attribs[b].name);
if ((n = ms->format[a+1]) == 0) break;
fprintf(stdout,ms->separator[a++]);
}
fprintf(stdout,"\n");
}

void main(int argc, char *argv[])
{
int syntax;
char *ap, arg[NAME_LN];
int a, j;
time_t t1,t2; int busy_seconds;
struct meter_status *ms, *nms;
struct calendar_entry *cp;
struct stat stat_buf;
char have_config_file; FILE *cnf;
char download_only;

if (argc < 2) {
fprintf(stderr,"NeMaC [options] meter-name community\n\n");
exit(0);
}

fprintf(stdout,"nm_rc: Remote Console for NeTraMet: V3.4\n");
/* Check on meter version done in nmc_snmp.c */

incl_depth = syntax = verbose = testing = listrules = standard = 0;
def_sync = 1; /* Samples synchronised with TOD clock */
def_sample_interval = 120; /* Default 2 minutes */
def_lag = 0; /* No time lag for collections */
rfname[0] = meter[0] = community[0] = '\0';
max_flows = 0;
def_download = 0; /* Download rule sets on startup */
def_no_write_meter = 0;
nd_flows = MAXNRFLOWS; /* Display top 10 flows by default */
def_GCIntervalReqd = /* Use meter defaults for MIB variables */
def_InactivityTime = def_HighWaterMark = def_FloodMark = 0;
plain_format = 0;
show_names = 0;

for (a = 1; a < argc; ++a) {
if (argv[a][0] == '-') {
ap = argv[a]+2;
switch (argv[a][1]) {
case 'a':
if (*ap == '\0') ap = argv[++a];
def_lag = atoi(ap);
break;
case 'c':
if (*ap == '\0') ap = argv[++a];
j = atoi(ap);
if (j == 0) download_only = 1;
else def_sample_interval = j;
break;
case 'd':
snmp_dump_packet++;
break;
case 'g':
if (*ap == '\0') ap = argv[++a];
def_GCIntervalReqd = atoi(ap);
break;
case 'h':
if (*ap == '\0') ap = argv[++a];
def_HighWaterMark = atoi(ap);
break;
case 'i':
if (*ap == '\0') ap = argv[++a];
def_InactivityTime = atoi(ap);
break;
case 'l':
listrules++;
break;
case 'n':
if (*ap == '\0') ap = argv[++a];
nd_flows = atoi(ap); /* Nbr of flows to display */
break;
case 'o':
if (*ap == '\0') ap = argv[++a];
def_FloodMark = atoi(ap);
break;
case 'p':
plain_format++;
break;
case 'r':
if (*ap == '\0') ap = argv[++a];
strcpy(rfname, ap); /* Rule file name */
break;
case 's':
syntax++;
break;
case 't':
testing++;
break;
case 'u':
def_sync = 0; /* Unsynchronised */
break;
case 'v':
verbose++;
break;
case 'w':
if (*ap == '\0') ap = argv[++a];
def_download = atoi(ap);
break;
case 'x':
def_no_write_meter++;
break;
case 'N':
show_names = 1;
break;
case 'S':
standard++;
break;
default:
fprintf(stderr,"Invalid option: -%c\n", argv[a][1]);
break;
}
continue;
}
if (meter[0] == '\0') strcpy(meter,argv[a]);
else if (community[0] == '\0') strcpy(community,argv[a]);
}

if (syntax) { /* Test a rule file */
ms = (struct meter_status *)calloc(sizeof(struct meter_status), 1);
strcpy(ms->rulefile,rfname);
if (ms->emergency_rulefile[0] != '\0')
parse_rulefile(ms,listrules,1,1,0);
parse_rulefile(ms,1,1,0,0);
fprintf(stderr,"\n%d errors in rule file(s) %s\n\n", rferrors,rfname);
exit(0);
}

if (nd_flows < 1) nd_flows = 1;

init_mib(); /* Initialise SNMP handler */

first_meter = (struct meter_status *)calloc
(sizeof(struct meter_status), 1);
strcpy(first_meter->rulefile,rfname);
strcpy(first_meter->name,meter);
strcpy((char *)first_meter->community,
community[0] != '\0' ? community : "public");
first_meter->synchronised = def_sync;
first_meter->sample_interval = def_sample_interval;
first_meter->lag_seconds = def_lag;
first_meter->download_level = def_download;
first_meter->no_write_meter =
rfname[0] == '\0' ? 1 : def_no_write_meter;
first_meter->write_OK = 1;
first_meter->GCIntervalReqd = def_GCIntervalReqd;
first_meter->InactivityTime = def_InactivityTime;
first_meter->lag_seconds = def_lag;
first_meter->HighWaterMark = def_HighWaterMark;
first_meter->FloodMark = def_FloodMark;

time(&t1);
for (nmeters = 0, ms = first_meter; ms; ms = ms->next)
create_meter(ms, t1);
if (nmeters == 0) {
fprintf(stderr,"No meters to monitor !!!\n");
exit(0);
}

/* Allocate two extra flows since they start from 2 not 0 */
if ((flow_table = (struct flow_data *)calloc(
max_flows+2, sizeof(struct flow_data))) == NULL) {
fprintf(stderr, "Failed to allocate memory for flow table!\n");
exit(11);
}
if ((dflowi = (struct flow_info *)calloc(
nd_flows, sizeof(struct flow_info))) == NULL) {
fprintf(stderr, "Failed to allocate memory for display info!\n");
exit(11);
}
if ((dflows = (struct display_data *)calloc(
nd_flows, sizeof(struct display_data))) == NULL) {
fprintf(stderr, "Failed to allocate memory for display data!\n");
exit(11);
}

for (;;) {
for (;;) {
time(&t1);
if (calendar->next_event > t1) break; /* Wait a while */
cp = calendar; calendar = cp->next; /* Take entry from queue */
ms = cp->ms;
if (ms->status & MT_MANAGE) monitor(ms);
add_event(cp,ms);
}
if (testing) fflush(stdout);
time(&t1);
if (calendar->next_event > t1) sleep(calendar->next_event-t1);
}
}

unsigned short getshort(ucp)
unsigned char *ucp;
{
return ucp[0]<<8 | ucp[1];
}

unsigned long getlong(ucp)
unsigned char *ucp;
{
return ucp[0]<<24 | ucp[1]<<16 | ucp[2]<<8 | ucp[3];
}

unsigned short get_slice(struct meter_status *ms,
unsigned short first_row, unsigned char col,
unsigned char first)
{
int fn, row, len, n, r, sz;
struct flow_info *fp;
unsigned char *ucp;
fn = first_row; row = 0;
if (column_info(ms,column_blob, col,ms->OurLastCollectTime,&fn,&len)
&& len != 0) {
for (ucp = column_blob; row < MX_BLOB_FLOWS; ) {
fp = &flows[row];
n = getshort(ucp); ucp += 2; /* Flow nbr */
if (n < 2) break; /* No more active flows in blob */
sz = attribs[col].len;
switch (col) {
case FTFLOWINDEX: /* Used to synchronise column blobs */
break;
case FTFLOWSTATUS:
fp->FlowStatus = *ucp;
break;
case FTLOWINTERFACE:
fp->LowInterface = *ucp;
break;
case FTLOWADJACENTTYPE:
fp->LowAdjType = *ucp;
break;
case FTLOWADJACENTADDRESS:
memcpy(fp->LowAdjAddress,ucp,MAC_ADDR_LEN);
break;
case FTLOWADJACENTMASK:
memcpy(fp->LowAdjMask,ucp,MAC_ADDR_LEN);
break;
case FTLOWPEERTYPE:
fp->LowPeerType = *ucp;
break;
case FTLOWPEERADDRESS:
memset((char *)fp->LowPeerAddress,0,PEER_ADDR_LEN);
sz = *ucp++;
memcpy(fp->LowPeerAddress,ucp,sz);
break;
case FTLOWPEERMASK:
memset((char *)fp->LowPeerMask,0,PEER_ADDR_LEN);
sz = *ucp++;
memcpy(fp->LowPeerMask,ucp,sz);
break;
case FTLOWDETAILTYPE:
fp->LowDetailType = *ucp;
break;
case FTLOWDETAILADDRESS:
memcpy(fp->LowDetailAddress,ucp,DETAIL_ADDR_LEN);
break;
case FTLOWDETAILMASK:
memcpy(fp->LowDetailMask,ucp,DETAIL_ADDR_LEN);
break;
case FTHIINTERFACE:
fp->HighInterface = *ucp;
break;
case FTHIADJACENTTYPE:
fp->HighAdjType = *ucp;
break;
case FTHIADJACENTADDRESS:
memcpy(fp->HighAdjAddress,ucp,MAC_ADDR_LEN);
break;
case FTHIADJACENTMASK:
memcpy(fp->HighAdjMask,ucp,MAC_ADDR_LEN);
break;
case FTHIPEERTYPE:
fp->HighPeerType = *ucp;
break;
case FTHIPEERADDRESS:
memset((char *)fp->HighPeerAddress,0,PEER_ADDR_LEN);
sz = *ucp++;
memcpy(fp->HighPeerAddress,ucp,sz);
break;
case FTHIPEERMASK:
memset((char *)fp->HighPeerMask,0,PEER_ADDR_LEN);
sz = *ucp++;
memcpy(fp->HighPeerMask,ucp,sz);
break;
case FTHIDETAILTYPE:
fp->HighDetailType = *ucp;
break;
case FTHIDETAILADDRESS:
memcpy(fp->HighDetailAddress,ucp,DETAIL_ADDR_LEN);
break;
case FTHIDETAILMASK:
memcpy(fp->HighDetailMask,ucp,DETAIL_ADDR_LEN);
break;
case FTRULESET:
fp->FlowRuleSet = *ucp;
break;
case FTUPOCTETS:
fp->FwdBytes = getlong(ucp);
break;
case FTUPPDUS:
fp->FwdPackets = getlong(ucp);
break;
case FTDOWNOCTETS:
fp->BackBytes = getlong(ucp);
break;
case FTDOWNPDUS:
fp->BackPackets = getlong(ucp);
break;
case FTFIRSTTIME:
fp->FirstTime = getlong(ucp);
break;
case FTLASTTIME:
fp->LastTime = getlong(ucp);
break;
case FTSOURCECLASS:
fp->SourceClass = *ucp;
break;
case FTDESTCLASS:
fp->DestClass = *ucp;
break;
case FTFLOWCLASS:
fp->FlowClass = *ucp;
break;
case FTSOURCEKIND:
fp->SourceKind = *ucp;
break;
case FTDESTKIND:
fp->DestKind = *ucp;
break;
case FTFLOWKIND:
fp->FlowKind = *ucp;
break;
}
ucp += sz;
if (first) {
fp->FlowIndex = n; ++row;
}
else {
if (n == fp->FlowIndex) ++row;
}
}
}

if (len == 0) return 0; /* No flows found */
if (first) flows[row].FlowIndex = n; /* Return end-of-blob marker */
return row; /* Nbr of rows may decrease with later columns */
}

void monitor(ms) /* Called every interval for each meter */
struct meter_status *ms;
{
time_t t, nst,si; char *ts;
unsigned short activeflows, first_row, nrows, r;
unsigned char reachable, a, col, first, keepalive, s_statsreqd;
unsigned long last_uptime, tb, tp;
unsigned int i,j;
char fdfbuf[250], *fbp;
struct flow_info *fp;
unsigned int fi, t_count,x;
struct display_data *ddp, *mdp;
char buf[50], *bp;

time(&t); ts = fmt_time(&t);
if (!ms->write_OK) no_write_warning(ms);
last_uptime = ms->uptime;
s_statsreqd = ms->statsreqd; /* Save stats request through keepalive */

reachable = 1;
if (meter_info(ms) == 0) { /* Lost contact */
if (ms->status & MT_UP) { /* Was up */
fprintf(stdout,"%s -- %s: No response\n", ts,ms->name);
}
ms->status &= ~MT_UP; /* Mark as 'down' */
reachable = 0;
}
else if (!(ms->status & MT_UP)) { /* Have contact now, was down */
fprintf(stdout,"%s -- %s: Regained contact\n", ts,ms->name);
ms->write_OK = 1; ms->no_write_warned = 0;
}
ms->status |= MT_UP;
ms->statsreqd = s_statsreqd; /* Restore stats request from rule file */

/* Meter processing .. */

if (reachable) {
set_collect_time(ms,1); /* Tell meter we're starting a collection */

memset(&total_rate, 0, sizeof(struct flow_data));
memset(dflows, 0, nd_flows*sizeof(struct display_data));
activeflows = 0; first_row = 1;
do {
for (first = 1, a = 0; (col = col_order[a]) != '\0'; ++a) {
if (ms->required[col] == 0) continue;
r = get_slice(ms, first_row,col, first);
if (first) {
nrows = r; first = 0;
}
else if (r < nrows) nrows = r;
if (nrows == 0) break;
}
if (nrows == 0) break;
if (testing) fprintf(stdout,
"#monitor(): frst_row=%u, nrows=%u, nxt_row=%d, end_mark=%u\n",
first_row, nrows,
nrows != 0 ? flows[nrows-1].FlowIndex : -1,
flows[nrows].FlowIndex);
activeflows += nrows;
first_row = flows[nrows-1].FlowIndex; /* Last data row */

for (r = 0; r != nrows; ++r) {
fp = &flows[r]; fi = fp->FlowIndex;
if (flow_table[fi].ruleset == 0 ||
flow_table[fi].ruleset != fp->FlowRuleSet ||
flow_table[fi].starttime != fp->FirstTime) {
/* It's a new flow */
memset(&flow_table[fi], 0, sizeof(struct flow_data));
flow_table[fi].ruleset = fp->FlowRuleSet;
flow_table[fi].starttime = fp->FirstTime;
}
memset(&curr_rate, 0, sizeof(struct flow_data));
if (fp->FwdPackets) {
curr_rate.uppci = fp->FwdPackets - flow_table[fi].uppci;
total_rate.uppci += curr_rate.uppci;
flow_table[fi].uppci = fp->FwdPackets;
}
if (fp->BackPackets) {
curr_rate.dnpci = fp->BackPackets - flow_table[fi].dnpci;
total_rate.dnpci += curr_rate.dnpci;
flow_table[fi].dnpci = fp->BackPackets;
}
if (fp->FwdBytes) {
curr_rate.upbci = fp->FwdBytes - flow_table[fi].upbci;
total_rate.upbci += curr_rate.upbci;
flow_table[fi].upbci = fp->FwdBytes;
}
if (fp->BackBytes) {
curr_rate.dnbci = fp->BackBytes - flow_table[fi].dnbci;
total_rate.dnbci += curr_rate.dnbci;
flow_table[fi].dnbci = fp->BackBytes;
}
mdp = &dflows[0]; x = mdp->traffic; j = 0;
for (i = 1; i != nd_flows; ++i) { /* Find min display flow */
ddp = &dflows[i];
if (ddp->traffic < x) {
mdp = ddp; x = ddp->traffic; j = i;
}
}
tb = curr_rate.upbci+curr_rate.dnbci;
if (tb > x) {
mdp->traffic = tb;
mdp->fi = &dflowi[j];
memcpy(mdp->fi, fp, sizeof(struct flow_info));
mdp->fi->FwdPackets = curr_rate.uppci;
mdp->fi->BackPackets = curr_rate.dnpci;
mdp->fi->FwdBytes = curr_rate.upbci;
mdp->fi->BackBytes = curr_rate.dnbci;
}
}
} while (flows[nrows].FlowIndex != 0);

if (verbose) printf(
"%s %s: %d active flows from %lu to %lu\n",
ts,ms->name, activeflows, ms->OurLastCollectTime,ms->uptime);

qsort(dflows, nd_flows,sizeof(struct display_data), sort_cmp);

tb = total_rate.upbci+total_rate.dnbci;
tp = total_rate.uppci+total_rate.dnpci;
fprintf(stdout,"#--- %s %s Mxflow=%d %u flows ",
ms->name,ms->interface, MAXNRFLOWS, activeflows,ts);
bp = sdisplay_number(buf,tp/ms->sample_interval);
bp = strmov(bp,"pps ");
bp = sdisplay_number(bp,tb/ms->sample_interval);
*bp = '\0'; fprintf(stdout,buf);
fprintf(stdout,"Bps %s ---\n", ts);
for (i = 0; i != nd_flows; ++i) {
ddp = &dflows[i];
if (ddp->traffic == 0) break;
fp = ddp->fi;
fbp = fdfbuf; /* Build flow data file line */
if (!plain_format) {
fprintf(stdout,"%3lu%% ",
(fp->FwdBytes+fp->BackBytes)*100/tb);
}
for (col = ms->format[a = 0]; ; ) {
if (col != '\0') {
if (plain_format) fbp = sfmt_attrib(fbp, fp,col);
else fbp = sdisplay_attrib(fbp, fp,col,ms);
}
if ((col = ms->format[a+1]) == '\0') break;
fbp = strmov(fbp,ms->separator[a++]);
}
*fbp = '\0'; fprintf(stdout,fdfbuf);
fprintf(stdout,"\n");
fflush(stdout);
}
}

ms->OurLastCollectTime = ms->uptime - 1L;
/* -1 to make sure we don't miss any flows. We may
collect some of them twice, but we don't mind that */

if (testing) printf("Sample: t=%u",ms->next_event);
if (ms->synchronised) {
nst = ms->next_sample + (si = ms->sample_interval);
ms->next_sample = (nst / si) * si + ms->lag_seconds;
}
else ms->next_sample += ms->sample_interval;
ms->next_event = ms->next_sample;
if (testing) printf(", sync=%d, next_sample=%u, next_keepalive=%u\n",
ms->synchronised, ms->next_sample, ms->next_keepalive);
}

--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="NM_DISPL"

Modifications in nm_displ.c:

in function: char *sdisplay_transtype()

case AT_IP: switch(transtype) {
case 1: return strmov(d,"icmp");
case 2: return strmov(d,"igmp");
case 4: return strmov(d,"igmp");
case 6: return strmov(d,"tcp ");
case 17: return strmov(d,"udp ");
case 27: return strmov(d,"rdp ");
case 28: return strmov(d,"irtp");
case 46: return strmov(d,"rsvp");
case 89: return strmov(d,"ospf");
default: sprintf(buf,"%u",transtype);
}
break;

in function: char *sdisplay_transaddr()

{
unsigned int p = a[0] << 8 | a[1];
char buf[20];
switch (peertype) {
case AT_IP: switch(p) {
case 20: return strmov(d,"ftpdata");
case 21: return strmov(d,"ftp");
case 22: return strmov(d,"ssh");
case 23: return strmov(d,"telnet");
case 25: return strmov(d,"smtp");
case 53: return strmov(d,"dns");
case 70: return strmov(d,"gopher");
case 79: return strmov(d,"finger");
case 80: return strmov(d,"www");
case 110: return strmov(d,"pop");
case 113: return strmov(d,"imap");
case 119: return strmov(d,"nntp");
case 123: return strmov(d,"ntp");
case 138: return strmov(d,"nbio"); /* netBIOS */
case 161: return strmov(d,"snmp");
case 513: return strmov(d,"login");
case 1515: return strmov(d,"printer");
case 2049: return strmov(d,"nfs");
case 6000: return strmov(d,"xwin");
case 8080: return strmov(d,"proxy");
default: sprintf(buf,"%u",p);
}
break;

--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="NEMAC.SHT"

<html>
<META HTTP-EQUIV=REFRESH CONTENT="60; URL=nemac.netra2.shtml"><title>NeMaC</title>
<body bgcolor="ffffff">
<center>
<h4>NeTraMet Accounting</h4>
Accounting is running on: 192.41.140.x
</center><hr><br>
<center><TABLE width=95% border=1 bgcolor="e0ffe0">

</TABLE></center>
<br><br>Get <a href="info.html">more info</a>...<br>
<hr>
<font size=2>
<i>NeMaC Web, Dec 1996, NC3A, CSD, <a href="mailto:[email protected]">Marc van Selm</a></i></body>
</html>
--=====================_858253114==_
Content-Type: text/plain; charset="us-ascii"

---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: [email protected]
---------------------------------------------------------------------
PGP key: http://www.cistron.nl/~selm/keymarc.asc
My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html

--=====================_858253114==_--

From netramet-owner Fri Mar 14 21:12:32 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id UAA13886 for netramet-outgoing; Fri, 14 Mar 1997 20:56:18 +1300 (NZDT)
Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id UAA13821 for <[email protected]>; Fri, 14 Mar 1997 20:55:55 +1300 (NZDT)
Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA28879
(5.67b/IDA-1.5 for <[email protected]>); Fri, 14 Mar 1997 08:54:17 +0100
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 14 Mar 1997 08:57:24 +0000
To: Alexandre Timm Vieira <[email protected]>
From: Marc van Selm <[email protected]>
Subject: Re: Converting Flow Files
Cc: [email protected]
Sender: [email protected]
Precedence: bulk

At 06:44 PM 3/13/97 -0300, Alexandre Timm Vieira wrote:
>
> Hello Marc,
..
> You help me very much on modifications in NM_RC.C and NM_DISPLAY.C, but
>i cant run nm2web , something is wrong, appear "Format: nm2web lannam"...
>What is wrong ?
>
> I use something like this:
>
> nm_rc -c120 -h20 -g11 -r rules.ipport myserver mycommunity | nm2web

Sorry I was a bit quick in writing the documentation. The format should be:

nm_rc -c 120 -r rules.file metername community | nm2web XXX.XXX.XXX.x metername
Here is XXX.XXX.XXX.x your IP (like 192.168.10.x for example) metername is
the name of the Netramet meter.

These parameters for nm2web are created because I monitor more than one LAN
using more than one probe. The IP-number parameter is only to display in the
web-page so people know what is monitored. The metername is also used in the
filenames so you can make some kind of an index and to distinguish between
the flow-files of multiple probes.

Because I don't want to type such long commands I've made some shell-scripts
to start the manager and the meter. You should be able to set up your own.
You could also tailor your the c-code to suit your specific needs. It
reduces the flexibility though.

Also please edit the nm2web.c file so the mailto:[email protected] is
removed. Its there to show what you could do but I don't think you want
users to ask questions to me on your accounting data. (I certainly don't)

>
> Only this...
>
> I change line 76 of nm2web.c from exi|(;); to exit(3);
> ^^^^^^^^

I would do the same. I don't know what happened. I looked at the original
source and it wasn't there. I think gremlins.... mmm.....

Regards Marc van Selm
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: [email protected]
---------------------------------------------------------------------
PGP key: http://www.cistron.nl/~selm/keymarc.asc
My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html

From netramet-owner Thu Mar 20 20:00:10 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id TAA17696 for netramet-outgoing; Thu, 20 Mar 1997 19:40:03 +1200 (NZST)
Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id TAA17627 for <[email protected]>; Thu, 20 Mar 1997 19:39:48 +1200 (NZST)
Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA11215
(5.67b/IDA-1.5 for <[email protected]>); Thu, 20 Mar 1997 08:38:06 +0100
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 20 Mar 1997 08:41:47 +0000
To: [email protected]
From: Marc van Selm <[email protected]>
Subject: Netramet, Linux and more than 1 LAN-segments
Sender: [email protected]
Precedence: bulk

As you all know NeTraMet is capable to monitor up to 4 LAN-segments. It
turns out the Linux binary had a bit of a problem with that. When more than
1 interface was specified (like -ieth0 -ieth1) it only monitored the first
one in the list (independent of what sequence of interfaces specified)

Recompiling the NeTraMet and the libpcap source myself fixed it for me. I
asume the libpcap used in the binary wasn't to compatible with my system or
just doesn't like more than 1 interface.

I use a i486, Linux 2.0.20, 20Mb mem, 2x Etherlink III, 100Mb disk and this
works perfect (at it has CPU-cycles left to do other work also) I also have
a i386, Linux 2.0.20, 8Mb mem etc This can also cope with our internet
traffic but is a bit bussy. Responce to telnets for example is a bit poor.

Just for your info....

Marc van Selm
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: [email protected]
---------------------------------------------------------------------
PGP key: http://www.cistron.nl/~selm/keymarc.asc
My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html

From netramet-owner Fri Mar 21 21:04:28 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id UAA09318 for netramet-outgoing; Fri, 21 Mar 1997 20:43:39 +1200 (NZST)
Received: from nc3a.nato.int ([192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id UAA09304 for <[email protected]>; Fri, 21 Mar 1997 20:43:19 +1200 (NZST)
Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA28341
(5.67b/IDA-1.5 for <[email protected]>); Fri, 21 Mar 1997 09:40:30 +0100
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 21 Mar 1997 09:44:24 +0000
To: Timothy You <[email protected]>
From: Marc van Selm <[email protected]>
Subject: Re: Netramet, Linux and more than 1 LAN-segments
Cc: [email protected]
Sender: [email protected]
Precedence: bulk

At 09:21 AM 3/21/97 +0800, Timothy You wrote:
>Hello,
> Sorry to distribute you but I have try to use NeTraMet on two
>segment and no successfull as well. Would you published how you fixed the
>problem?
>
OK, This is how I've got it to work:

At first I also couldn't get it to work. I assumed my i386 with 2 Etherlink
II cards couldn't cope with the load. I had been using the Linux binary
until last week so, just out of academic curiosity, I decided to compile the
kit from the source for Linux.

You also need libpcap installed first (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
This fixed things for me. Monitoring 2 ports works for now on my kit. I
haven't tried with more than 2 but according to Nevil it should support 4 ports.

The libpcap installation can be a bit tricky. What I had to do is manually
copy the linux-includes to /usr/include/ (I had 1 file missing in my Linux
distribution. I'm not sure this is standard problem. I'm not really using
one of the official distributions. It's a modified Openworld distribution
upgraded to support the current standards. I don't think it is available
anymore. The kernel is a standard ELF V2.0.20, gcc2.7.2) But for me libpcap
installed fine. It complained that I had to run a fixincludes script from
gcc. I didn't want to do this so I ignored it. It turns out that this wasn't
needed after all. Read the INSTALL file for more info.

When this is done you have to re-compile NeTraMet from the source (Nemac is
not important here but you can do it if you want) Compilation is simple
(assuming you know about installing these kind of source-code based
applications) First the snmplib (go to linux/snmplib and run make). When do
the same for linux/meter. I had to modify the meter-Makefile a bit. Libpcap
installs per default on /usr/local/lib and the makefile assumes it is
installed in the source-path. You can modify the makefile so it links
/usr/local/lib/libpcap.a or just copy libpcap to the linux/meter directory.

This worked for me. Now you can run NeTraMet -ieth0 -ieth1 -wyourcommunity

>I am try the following configuration but have not successful config the
>Linux yet:
>Linux with 2x 3Com 10/100 Ethernet card.
>eth0 - for transfer information gathered by NeTraMet
>eth1 - collect statistic (from the Monitoring port on Cisco switch)
>eth2 - collect statistic (from the Monitoring port on Cisco switch)

Makes sense to do it like this. I assume the eth0 is not on one of the
Cisco-ports but on a separate LAN-segment. A separate monitor segment will
create some kind of out-of-band management. The flow data can be extensive....

I'm not sure if you already got the 3 ethernet cards to work. I can only
help you with 2. I don't have any experience with more than one but I
understand this isn't a major problem. There is an ethernet how-to
explaining this.
You have to do something like this in the lilo.conf:
append ether=0,0x300,eth0 ether=0,0x280,eth1

>Do you think a 586-133 with 32MB RAM able to monitoring two FDDI interface
>simultanously?

The manual states: 40Mhz i486: 3000 packets per sec peak. A 60Mhz i586 + PCI
nic's will do a steady 6000 packets/second. I'm not sure what a 133 will do
but just assuming 2x the speed and an average packet size of about 1000
kbyte we are talking about a steady load of about 100Mbps. It depends a lot
of the average load (and if there are long bursts of almost maximum load)
Also the performance of the FDDI nic is important here.

I would give it a go and compare (if possible under controlled conditions)
monitoring with 2 ports and with 1. You have to do it at a quiet time and
run a file transfer on both segments monitored. My guess is that it should
work fine and only under extreme conditions you will lose some packets.

One thing you have to prevent is swapping. This reduces the performance a
lot. My experience is that 8 meg works but is on the limit (depending on the
amount of flows and other services enabled on the NeTraMet machine) 16 meg
is better. Swap partition are touched in all in my probes anymore.

Hope this helps,

Good luck!

Marc
>
>Best Regards
>Tim
>
>_________________________________________________________________________
>Tim K.H.You Internet : [email protected],
>Computer Services Centre
>Lingnan College, Tuen Mun, Tel no. : (852) 26168418
>NT, HONG KONG. Fax no. : (852) 25758763
>__________________________________________________________________________
>
>
>
>
>
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: [email protected]
---------------------------------------------------------------------
PGP key: http://www.cistron.nl/~selm/keymarc.asc
My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html

From netramet-owner Thu Mar 27 22:24:46 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id WAA09254 for netramet-outgoing; Thu, 27 Mar 1997 22:01:16 +1200 (NZST)
Received: from n.brownlee4.itss.auckland.ac.nz (nevil.slip.auckland.ac.nz [130.216.8.3]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id WAA09246; Thu, 27 Mar 1997 22:01:10 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
Reply-To: Nevil Brownlee <[email protected]>
To: [email protected], [email protected]
Subject: Security Considerations for RTFM Meters
Message-ID: <[email protected]>
Date: Fri, 28 Mar 1997 09:59:34 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1 Build (3)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello all:

At the RTFM session in Memphis we intend to discuss security
considerations for inclusion in any new RTFM RFCs. I've made
a start on that in the new meter draft, basically saying that
meters should be installed in a secure network environment - but
to some extent that's dodging the issue.

Here at Auckland we've encountered two further interesting situations.

1) Choosing SNMP communities.

Most NeTraMet users use the write community to limit access to
the meter. In addition, the NeTraMet manual suggests setting
the read community to something other than 'public.'

We've identified a need for a third community; let's call it
inspect. This could be used to allow a reader (such as nifty)
to read data from the flow table and to set LastTime variables
so as to tell the meter that a data collection is starting.
It would not give write access to any other variables.

Any comments on this idea?

2) Port Scan Attacks

In a port scan attack a remote user sends packets to all
possible IP addresses within a network. If an RTFM meter is
observing these packets and creating flows with full details
of soure/dest PeerAddresses, the meter will create new flows
for each of the port scan packets. This usually means it
will run out of flow memory and switch to Flood Mode.

The best way to guard against this is to put the meter behind
a firewall, so as to reduce the number of scan packets reaching
the meter. If this is not possible - perhaps because the meter
is being used to detect such attacks - then how should the
meter behave in the face of them?

Have any NeTraMet users encountered other security / attack
situations? Any suggestions on how to deal with them?

Comments to the list before the meeting (next Wednesday week)
would be very welcome.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Fri Mar 28 01:49:06 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id BAA07595 for netramet-outgoing; Fri, 28 Mar 1997 01:45:36 +1200 (NZST)
Received: from rap.cefriel.it (rap.cefriel.it [131.175.5.7]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id BAA07588 for <[email protected]>; Fri, 28 Mar 1997 01:45:23 +1200 (NZST)
Received: from suzuki (suzuki [131.175.5.78])
by rap.cefriel.it (8.8.5/8.8.5) with SMTP id OAA29505
for <[email protected]>; Thu, 27 Mar 1997 14:42:33 +0100 (MET)
Message-ID: <[email protected]>
Date: Thu, 27 Mar 1997 14:44:25 +0100
From: Matteo Snidero <[email protected]>
X-Mailer: Mozilla 3.01Gold (X11; I; HP-UX B.10.20 9000/777)
MIME-Version: 1.0
To: [email protected]
Subject: NeTraMet dor HP-UX 10.20
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Thanks to some patches I got from the libpcap team, I got a working
version of libpcap for HP-UX 10.20.

I hence could port NeTraMet for this OS.

I could not get rid of these 2 warnings though:

WARNING: DL_PROMISC_MULTI failed (recv_ack: promisc_multi: Invalid
argument)
WARNING: DL_PROMISC_SAP failed (recv_ack: promisc_sap: Invalid argument)

They are both due to libpcap.

Has anyone more successfully tackled this problem?

Despite these warnings NeTraMet seems to work fine.
Anyone interested can have these prototipal executables.

Cheers
Matteo