From netramet-owner Mon May 5 05:59:50 1997

From netramet-owner Mon May 5 05:59:50 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id FAA16139 for netramet-outgoing; Mon, 5 May 1997 05:35:55 +1200 (NZST)
Received: from la.ducksfeet.com (la.ducksfeet.com [206.55.129.222]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id FAA16133 for <[email protected]>; Mon, 5 May 1997 05:35:43 +1200 (NZST)
Received: from zippy.ducksfeet.com (zippy.ducksfeet.com [206.151.149.10]) by la.ducksfeet.com (8.8.4/8.7.1) with SMTP id KAA31049 for <[email protected]>; Sun, 4 May 1997 10:35:15 -0700
Received: by zippy.ducksfeet.com with Microsoft Mail
id <[email protected]>; Sun, 4 May 1997 10:31:58 -0700
Message-ID: <[email protected]>
From: Steve Resnick <[email protected]>
To: "'NeTraMet'" <[email protected]>
Subject: Tracking traffic for multiple IP's on a single interface.
Date: Sun, 4 May 1997 10:31:40 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: [email protected]
Precedence: bulk

Before I go and re-invent the wheel, I have a server running Solaris =
2.51 with a class C block of addresses to be assigned to a single =
ethernet interface on my server.=20

This is for a virtual web server.

I need track the usual traffic on a per-IP basis.=20

Has anyone done this, and if so, what is involved (scripts/rules/etc) ?

Cheers,

Steve

---=20
Steve Resnick -- Web Consultant -- [email protected]=20
0x2b |~ ox2b ... What was the question?=20

From netramet-owner Tue May 6 04:03:01 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id DAA17492 for netramet-outgoing; Tue, 6 May 1997 03:52:54 +1200 (NZST)
Received: from jeff.med.iacnet.com (jeff.med.iacnet.com [140.244.8.125]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id DAA17478 for <[email protected]>; Tue, 6 May 1997 03:52:34 +1200 (NZST)
Received: from jeff.med.iacnet.com (localhost [127.0.0.1])
by jeff.med.iacnet.com (8.8.5/8.8.5) with ESMTP id LAA29300;
Mon, 5 May 1997 11:51:16 -0400
Message-ID: <[email protected]>
Date: Mon, 05 May 1997 11:51:14 -0400
From: Jeff Macdonald <[email protected]>
Organization: Information Access Center
X-Mailer: Mozilla 4.0b3C (X11; I; Linux 2.0.30 i586)
MIME-Version: 1.0
To: Han Ki Woong <[email protected]>
CC: netramet list <[email protected]>
Subject: NeTraMet, Linux, FDDI - how to make it work.
X-Priority: 3 (Normal)
References: <[email protected]>
Content-Type: multipart/mixed; boundary="------------E5954DF1FA2D057627D44A82"
Sender: [email protected]
Precedence: bulk

This is a multi-part message in MIME format.
--------------E5954DF1FA2D057627D44A82
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

For those who are trying to get this to work, here is what I had to do
for a RedHat Linux 4.1 with a 2.0.30 kernel:

First, to fix ifconfig's output, Larry Stefani (the author of the FDDI
driver) sent me this diff to apply against net-tools. So grab a source
copy of net-tools, and apply the attached diff with patch.

Next, you need libpcap-0.3.1a3, with a slight modification to
pcap-linux.c

line 212:
case ARPHRD_FDDI:
p->linktype = DLT_FDDI;
++broadcast; /* add this line */
break;

This allows libpcap to set the card in promiscuous mode. I've notified
the maintainers of libpcap that the library was not setting promiscuous
mode for FDDI correctly, and they say that the next release will have
the change.

Finally, it seems that libpcap returns FDDI mac addresses with the wrong
endian order, so if you are going to write any rules that depend on mac
address, reverse it's endianess. For example, if you are filtering on
mac address 00-00-0C-07-AC-02, change it to 00-00-30-E0-35-40 [02 = 0000
0010 -> 0100 0000 = 40]. We used tcpdump (recompiled with the new
libpcap) to see this behavior. We discovered this yesterday AM as we put
our box in production, however, I haven't had time to see if this is
normal.

--
Jeff Macdonald
Systems Development
Information Access Center
Medford, MA 02155
--------------E5954DF1FA2D057627D44A82
Content-Type: text/plain; charset=us-ascii; name="net-tools.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="net-tools.diff"

diff -N -u -r /lanhub/net-tools-1.32-alpha/config.in net-tools-1.32-alpha/config.in
--- /lanhub/net-tools-1.32-alpha/config.in Wed Apr 24 15:45:52 1996
+++ net-tools-1.32-alpha/config.in Tue Aug 13 10:12:13 1996
@@ -85,6 +85,7 @@
*
* (Hardware types supported by 1.3.x Kernels)
*
+bool 'FDDI (generic) support' HAVE_HWFDDI y
bool 'Token ring (generic) support' HAVE_HWTR n
bool 'AX25 (Packet Radio) support' HAVE_HWAX25 n
bool 'NET/ROM (Packet Radio) support' HAVE_HWNETROM n
diff -N -u -r /lanhub/net-tools-1.32-alpha/lib/Makefile net-tools-1.32-alpha/lib/Makefile
--- /lanhub/net-tools-1.32-alpha/lib/Makefile Mon May 27 02:17:09 1996
+++ net-tools-1.32-alpha/lib/Makefile Tue Aug 13 10:03:51 1996
@@ -19,6 +19,7 @@
#960221 {1.25} Bernd Eckenfels: getroute/setroute.o
#960322 {1.26} Bernd Eckenfels: ACTOBJS support
#960413 {1.27} Bernd Eckenfels: Mike McLagan FRAD Support (frame.c)
+#960813 {1.28} Lawrence V. Stefani: Added FDDI support
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General
@@ -28,7 +29,7 @@
#

-HWOBJS = hw.o loopback.o slip.o ether.o ax25.o ppp.o arcnet.o tr.o tunnel.o frame.o
+HWOBJS = hw.o loopback.o slip.o ether.o fddi.o ax25.o ppp.o arcnet.o tr.o tunnel.o frame.o
AFOBJS = unix.o inet.o ax25.o ipx.o ddp.o ipx.o netrom.o af.o
AFGROBJS = inet_gr.o ipx_gr.o ddp_gr.o netrom_gr.o ax25_gr.o getroute.o
AFSROBJS = inet_sr.o netrom_sr.o ipx_sr.o setroute.o
diff -N -u -r /lanhub/net-tools-1.32-alpha/lib/fddi.c net-tools-1.32-alpha/lib/fddi.c
--- /lanhub/net-tools-1.32-alpha/lib/fddi.c Wed Dec 31 19:00:00 1969
+++ net-tools-1.32-alpha/lib/fddi.c Tue Aug 13 10:02:39 1996
@@ -0,0 +1,144 @@
+/*
+ * lib/fddi.c This file contains an implementation of the "FDDI"
+ * support functions for the NET-2 base distribution.
+ *
+ * Version: @(#)fddi.c 1.00 08/13/96
+ *
+ * Author: Lawrence V. Stefani, <[email protected]>
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General
+ * Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ */
+#include "config.h"
+
+#if HAVE_HWFDDI
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/netdevice.h>
+#include <linux/if_fddi.h>
+#include <linux/if_arp.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <ctype.h>
+#include <string.h>
+#include <unistd.h>
+#include "net-support.h"
+#include "pathnames.h"
+#define EXTERN
+#include "net-locale.h"
+
+
+extern struct hwtype fddi_hwtype;
+
+
+/* Display an FDDI address in readable format. */
+static char *
+pr_fddi(unsigned char *ptr)
+{
+ static char buff[64];
+
+ sprintf(buff, "%02X-%02X-%02X-%02X-%02X-%02X",
+ (ptr[0] & 0377), (ptr[1] & 0377), (ptr[2] & 0377),
+ (ptr[3] & 0377), (ptr[4] & 0377), (ptr[5] & 0377)
+ );
+ return(buff);
+}
+
+
+/* Display an FDDI socket address. */
+static char *
+pr_sfddi(struct sockaddr *sap)
+{
+ static char buf[64];
+
+ if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
+ return(NLS_CATBUFF (catfd, fddiSet, fddi_none, "[NONE SET]", buf, 64));
+ return(pr_fddi(sap->sa_data));
+}
+
+
+/* Input an FDDI address and convert to binary. */
+static int
+in_fddi(char *bufp, struct sockaddr *sap)
+{
+ unsigned char *ptr;
+ char c, *orig;
+ int i, val;
+
+ sap->sa_family = fddi_hwtype.type;
+ ptr = sap->sa_data;
+
+ i = 0;
+ orig = bufp;
+ while((*bufp != '\0') && (i < FDDI_K_ALEN)) {
+ val = 0;
+ c = *bufp++;
+ if (isdigit(c)) val = c - '0';
+ else if (c >= 'a' && c <= 'f') val = c - 'a' + 10;
+ else if (c >= 'A' && c <= 'F') val = c - 'A' + 10;
+ else {
+#ifdef DEBUG
+ fprintf(stderr, NLS_CATGETS(catfd, fddiSet, fddi_debug1,
+ "in_fddi(%s): invalid fddi address!\n"), orig);
+#endif
+ errno = EINVAL;
+ return(-1);
+ }
+ val <<= 4;
+ c = *bufp++;
+ if (isdigit(c)) val |= c - '0';
+ else if (c >= 'a' && c <= 'f') val |= c - 'a' + 10;
+ else if (c >= 'A' && c <= 'F') val |= c - 'A' + 10;
+ else {
+#ifdef DEBUG
+ fprintf(stderr, NLS_CATGETS(catfd, fddiSet, fddi_debug2,
+ "in_fddi(%s): invalid fddi address!\n"), orig);
+#endif
+ errno = EINVAL;
+ return(-1);
+ }
+ *ptr++ = (unsigned char) (val & 0377);
+ i++;
+
+ /* We might get a semicolon here - not required. */
+ if (*bufp == ':') {
+ if (i == FDDI_K_ALEN) {
+#ifdef DEBUG
+ fprintf(stderr, NLS_CATGETS(catfd, fddiSet, fddi_debug3,
+ "in_fddi(%s): trailing : ignored!\n"),
+ orig)
+#endif
+ ; /* nothing */
+ }
+ bufp++;
+ }
+ }
+
+ /* That's it. Any trailing junk? */
+ if ((i == FDDI_K_ALEN) && (*bufp != '\0')) {
+#ifdef DEBUG
+ fprintf(stderr, NLS_CATGETS(catfd, fddiSet, fddi_debug4, "in_fddi(%s): trailing junk!\n"), orig);
+ errno = EINVAL;
+ return(-1);
+#endif
+ }
+
+#ifdef DEBUG
+ fprintf(stderr, "in_fddi(%s): %s\n", orig, pr_fddi(sap->sa_data));
+#endif
+
+ return(0);
+}
+
+
+struct hwtype fddi_hwtype = {
+ "fddi", NULL, /*"Fiber Distributed Data Interface (FDDI)",*/ ARPHRD_FDDI, FDDI_K_ALEN,
+ pr_fddi, pr_sfddi, in_fddi, NULL
+};
+
+
+#endif /* HAVE_HWFDDI */
diff -N -u -r /lanhub/net-tools-1.32-alpha/lib/hw.c net-tools-1.32-alpha/lib/hw.c
--- /lanhub/net-tools-1.32-alpha/lib/hw.c Sat Apr 13 09:56:05 1996
+++ net-tools-1.32-alpha/lib/hw.c Tue Aug 13 18:12:15 1996
@@ -43,6 +43,7 @@
extern struct hwtype adaptive_hwtype;

extern struct hwtype ether_hwtype;
+extern struct hwtype fddi_hwtype;
extern struct hwtype tr_hwtype;

extern struct hwtype ax25_hwtype;
@@ -70,6 +71,9 @@
#if HAVE_HWETHER
&ether_hwtype,
#endif
+#if HAVE_HWFDDI
+ &fddi_hwtype,
+#endif
#if HAVE_HWTR
&tr_hwtype,
#endif
@@ -111,6 +115,9 @@
unspec_hwtype.title = NLS_CATSAVE (catfd, loopbackSet, loopback_unspec, "UNSPEC");
#if HAVE_HWETHER
ether_hwtype.title = NLS_CATSAVE (catfd, etherSet, ether_ether, "10Mbps Ethernet");
+#endif
+#if HAVE_HWFDDI
+ fddi_hwtype.title = NLS_CATSAVE (catfd, fddiSet, fddi_fddi, "Fiber Distributed Data Interface");
#endif
#if HAVE_HWAX25
ax25_hwtype.title = NLS_CATSAVE (catfd, ax25Set, ax25_hw, "AMPR AX.25");

--------------E5954DF1FA2D057627D44A82--

From netramet-owner Wed May 7 01:33:44 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id BAA24537 for netramet-outgoing; Wed, 7 May 1997 01:17:02 +1200 (NZST)
Received: from relay.eunet.ie (ns.isi.ie [192.111.39.1]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id BAA24520 for <[email protected]>; Wed, 7 May 1997 01:16:43 +1200 (NZST)
Received: from oscar.broadcom.ie by relay.eunet.ie with SMTP id aa25440;
6 May 97 14:08 +0100
Received: from ccgate.broadcom.ie by broadcom.ie (5.x/SMI-SVR4)
id AA14465; Tue, 6 May 1997 14:08:06 +0100
Received: from cc:Mail by ccgate.broadcom.ie
id AA862952883; Tue, 06 May 97 14:07:51 GMT
Date: Tue, 06 May 97 14:07:51 GMT
From: GMonaghan <[email protected]>
Encoding: 60 Text
Message-Id: <[email protected]>
To: [email protected]
Sender: [email protected]
Precedence: bulk

Hi,
I'm a University student doing work placement here in Broadcom Eireann
Research Limited. I'm currently working with NeTraMet and I have a
problem that I hope you can help me with.

I have written a ruleset or rather edited one of your own and I am
unable to download it to the meter.
I have enclosed the Rule and the resulting problem I would be grateful
if you could shed some light on this problem.

What the rule is trying to read the flows between two servers called
Krusty and Lucille.

Thanking you,
Grace Monaghan

#Rule set grace
# Count IP packets between Krusty & Lucille

SourcePeerType & 225 = IP: Pushto, ip_pkt; Null & 0 = 0: Ignore, 0;
#
ip_pkt:
SourcePeerAddress & 255.255.255.255 = 192.107.110.32: Goto, s1;
Null & 0 = 0: NoMatch, 0;

s1:
DestPeerAddress & 255.255.255.255 = 192.107.110.19: GotoAct g1;
Null & 0 = 0: NoMatch, 0;
#
g1: FlowClass & 255=1: PushtoAct, c_pkt; #

c_pkt:
SourcePeerAddress & 255.255.255.255 = 0: PushpkttoAct, Next;
DestPeerAddress & 255.255.255.255 = 0: PushpkttoAct, Next; Null & 0 =
0: Count, 0
#
#
FORMAT FlowRuleSet FlowIndex FirstTime " "
FlowClass " "
SourcePeerAddress DestPeerAddress " "
SourcePeerType SourcePeerAddress DestPeerAddress " " ToOctets
FromOctets;
#

Resulting error:

NeMaC -r /netlab/rpm/ntm/examples/rule.grace krusty private NeMaC:
NeTraMet Manager & Controller V3.3
Using MIB file: /netlab/rpm/ntm/mib/mib.txt
/netlab/rpm/ntm/examples/rule.grace 12: Null & 0 = 0: NoMatch, 0;
Rule action expected !!!
/netlab/rpm/ntm/examples/rule.grace 18: Null & 0 = 0: NoMatch, 0;
Rule action expected !!!
No meters to monitor !!!

From netramet-owner Wed May 7 02:09:14 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id CAA26273 for netramet-outgoing; Wed, 7 May 1997 02:08:01 +1200 (NZST)
Received: from relay.eunet.ie (ns.isi.ie [192.111.39.1]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id CAA26263 for <[email protected]>; Wed, 7 May 1997 02:07:57 +1200 (NZST)
Received: from oscar.broadcom.ie by relay.eunet.ie with SMTP id aa00225;
6 May 97 15:03 +0100
Received: from ccgate.broadcom.ie by broadcom.ie (5.x/SMI-SVR4)
id AA15325; Tue, 6 May 1997 15:03:03 +0100
Received: from cc:Mail by ccgate.broadcom.ie
id AA862956181; Tue, 06 May 97 15:02:47 GMT
Date: Tue, 06 May 97 15:02:47 GMT
From: GMonaghan <[email protected]>
Encoding: 60 Text
Message-Id: <[email protected]>
To: [email protected]
Sender: [email protected]
Precedence: bulk

Hi,
I'm a University student doing work placement here in Broadcom Eireann
Research Limited. I'm currently working with NeTraMet and I have a
problem that I hope you can help me with.

I have written a ruleset or rather edited one of your own and I am
unable to download it to the meter.
I have enclosed the Rule and the resulting problem I would be grateful
if you could shed some light on this problem.

What the rule is trying to read the flows between two servers called
Krusty and Lucille.

Thanking you,
Grace Monaghan

#Rule set grace
# Count IP packets between Krusty & Lucille

SourcePeerType & 225 = IP: Pushto, ip_pkt; Null & 0 = 0: Ignore, 0;
#
ip_pkt:
SourcePeerAddress & 255.255.255.255 = 192.107.110.32: Goto, s1;
Null & 0 = 0: NoMatch, 0;

s1:
DestPeerAddress & 255.255.255.255 = 192.107.110.19: GotoAct g1;
Null & 0 = 0: NoMatch, 0;
#
g1: FlowClass & 255=1: PushtoAct, c_pkt; #

c_pkt:
SourcePeerAddress & 255.255.255.255 = 0: PushpkttoAct, Next;
DestPeerAddress & 255.255.255.255 = 0: PushpkttoAct, Next; Null & 0 =
0: Count, 0
#
#
FORMAT FlowRuleSet FlowIndex FirstTime " "
FlowClass " "
SourcePeerAddress DestPeerAddress " "
SourcePeerType SourcePeerAddress DestPeerAddress " " ToOctets
FromOctets;
#

Resulting error:

NeMaC -r /netlab/rpm/ntm/examples/rule.grace krusty private NeMaC:
NeTraMet Manager & Controller V3.3
Using MIB file: /netlab/rpm/ntm/mib/mib.txt
/netlab/rpm/ntm/examples/rule.grace 12: Null & 0 = 0: NoMatch, 0;
Rule action expected !!!
/netlab/rpm/ntm/examples/rule.grace 18: Null & 0 = 0: NoMatch, 0;
Rule action expected !!!
No meters to monitor !!!

From netramet-owner Mon May 12 23:36:37 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id XAA04217 for netramet-outgoing; Mon, 12 May 1997 23:30:10 +1200 (NZST)
Received: from relay.eunet.ie (ns.isi.ie [192.111.39.1]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id XAA04210 for <[email protected]>; Mon, 12 May 1997 23:30:04 +1200 (NZST)
Received: from oscar.broadcom.ie by relay.eunet.ie with SMTP id aa26555;
12 May 97 12:28 +0100
Received: from lucille.broadcom (lucille.broadcom.ie) by broadcom.ie (5.x/SMI-SVR4)
id AA19445; Mon, 12 May 1997 12:28:00 +0100
Received: by lucille.broadcom (SMI-8.6/SMI-SVR4)
id MAA01835; Mon, 12 May 1997 12:27:59 +0100
Date: Mon, 12 May 1997 12:27:59 +0100
From: Grace Monaghan <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: Addresses
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Md5: 8/xu9Qsx9iOWC33h4FoSCw==
Sender: [email protected]
Precedence: bulk

Hi everyone,
This is in relation to a previous mail I have sent, I finally got the ruleset I
wrote to work. Now I've incurred a new probleM, can anyone tell me why in the
flow file do the DestPeerAddress and SourcePeerAddress appear as zeros in the
file and not he given IP address in the ruleset?

Thanking you,
Grace Monaghan

Braodcom Eireann Ltd
Ireland

RULE SET:

#Rule set grace
# Count IP packets between Krusty & Lucille

SourcePeerType & 225 = IP: Pushto, ip_pkt;
Null & 0 = 0: Ignore, 0;
#
ip_pkt:
SourcePeerAddress & 255.255.255.255 = 192.107.110.32:
Goto, s1;
Null & 0 = 0: Retry, 0;

s1:
DestPeerAddress & 255.255.255.255 = 192.107.110.19:
GotoAct g1;
Null & 0 = 0: Retry, 0;
#
g1: FlowClass & 255=1: PushtoAct, c_pkt;
#

c_pkt:
SourcePeerAddress & 255.255.255.255 = 0: PushpkttoAct, Next;
DestPeerAddress & 255.255.255.255 = 0: CountPkt,0;
Null & 0 = 0: Count, 0
#
#
FORMAT FlowRuleSet FlowIndex FirstTime " "
FlowClass " "
SourcePeerAddress DestPeerAddress " "
SourcePeerType SourcePeerAddress DestPeerAddress " "
ToOctets FromOctets;
#

RESULTING FLOW DATA FILE:

##NeTraMet v3.4: -c15 -r /netlab/rpm/ntm/examples/rules.other lucille le0
3000 flows starting at 14:28:32 Fri 9 May 97
#Format: flowruleset flowindex firsttime sourcepeertype sourcepeeraddress
destpeeraddress topdus frompdus tooctets fromoctets
#Time: 14:28:32 Fri 9 May 97 lucille Flows from 1 to 1764
#Stats: aps=100 apb=0 mps=20000 mpb=0 lsp=0 avi=99.9 mni=96.0 fiu=2 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=1.0 tts=4096 tsu=0
1 2 21 2 0.0.0.0 0.0.0.0 14 0 5734 0
1 3 129 6 0.0.0.0 0.0.0.0 4 0 242 0
2 4 1760 2 0.0.0.0 0.0.0.0 1 0 170 0
#Time: 14:28:45 Fri 9 May 97 lucille Flows from 1763 to 3083
#Stats: aps=200 apb=0 mps=40000 mpb=0 lsp=0 avi=99.7 mni=98.3 fiu=4 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=1.0 tts=4096 tsu=2
2 4 1760 2 0.0.0.0 0.0.0.0 19 0 14606 0
2 5 2132 6 0.0.0.0 0.0.0.0 6 0 380 0
#Time: 14:29:00 Fri 9 May 97 lucille Flows from 3082 to 4502
#Stats: aps=191 apb=0 mps=40000 mpb=0 lsp=0 avi=99.7 mni=98.1 fiu=4 frc=0 gci=10
rpp=0.0 tpp=0.0 cpt=1.0 tts=4096 tsu=2
2 4 1760 2 0.0.0.0 0.0.0.0 34 0 21786 0
2 5 2132 6 0.0.0.0 0.0.0.0 12 0 852 0
#Time: 14:29:15 Fri 9 May 97 lucille Flows from 4501 to 6021
#Stats: aps=146 apb=0 mps=20000 mpb=0 lsp=0 avi=100.0 mni=100.0 fiu=4 frc=0
gci=10 rpp=0.0 tpp=0.0 cpt=1.0 tts=4096 tsu=2
2 4 1760 2 0.0.0.0 0.0.0.0 48 0 26489 0
2 5 2132 6 0.0.0.0 0.0.0.0 17 0 1228 0

From netramet-owner Wed May 21 02:49:19 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id CAA03929 for netramet-outgoing; Wed, 21 May 1997 02:40:37 +1200 (NZST)
Received: from office.actsofia.com ([195.138.128.158]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id CAA03921 for <[email protected]>; Wed, 21 May 1997 02:40:21 +1200 (NZST)
From: [email protected]
Received: by office.actsofia.com (SMI-8.6/SMI-SVR4)
id RAA18022; Tue, 20 May 1997 17:38:41 +0300
Date: Tue, 20 May 1997 17:38:41 +0300
Message-Id: <[email protected]>
To: [email protected]
Sender: [email protected]
Precedence: bulk

Hello,

I work in small bulgarian computer firm. I am novice with NeTraMet.
I have worked with it since 1 week. Two or tree days ago I downloaded
newest version (v3.4) and red some of letters in maillist. In letter
9703 I found source for nm2web and differnt version for nm_rc.
I compiled this sources succesfully on my Solaris 2.5.1 with gcc.
When I type following:
> nm_rc -c 10 -r rules.gateway <xxx.xxx.xxx.xxx> manage | nm2web LAB sun
in directory ./nemac I find two new files: current_trace.sun and
nemac.sun.shtml.
I'd like to know what mean current_trace.sun and by which way I can
use it in my web server?

I use NeTraMet 3.4 on SPARC with 64MB RAM and Solaris 2.5.1.

Thanks in advance for any help and suggestions!

Andrew

From netramet-owner Wed May 21 18:41:34 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id SAA21367 for netramet-outgoing; Wed, 21 May 1997 18:37:45 +1200 (NZST)
Received: from nc3a.nato.int ([192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id SAA21357 for <[email protected]>; Wed, 21 May 1997 18:37:39 +1200 (NZST)
Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA07151
(5.67b/IDA-1.5 for <[email protected]>); Wed, 21 May 1997 08:30:19 +0200
Message-Id: <[email protected]>
X-Sender: [email protected]
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 21 May 1997 08:36:32 +0100
To: [email protected]
From: Marc van Selm <[email protected]>
Subject: Re: (nm2web and how does it work)
Cc: [email protected]
Sender: [email protected]
Precedence: bulk

At 05:38 PM 5/20/97 +0300, you wrote:

.. deleted ...

> In letter
>9703 I found source for nm2web and differnt version for nm_rc.
>I compiled this sources succesfully on my Solaris 2.5.1 with gcc.
>When I type following:
>> nm_rc -c 10 -r rules.gateway <xxx.xxx.xxx.xxx> manage | nm2web LAB sun
>in directory ./nemac I find two new files: current_trace.sun and
>nemac.sun.shtml.
>I'd like to know what mean current_trace.sun and by which way I can
>use it in my web server?

nm2web and the other version of nm_rc are unofficial publications of mine in
the hope that some-one can use it and are not supported by Nevil Brownlee at
the moment. nm_rc is modified so it flushes the buffer to the standard
output after each page. nm2web formats the standard input to a html-table.

This is how it works:

current_trace.sun is a formatted copy of nm_rc displays on the screen and
will be used as an include for nemac.sun.shtml.

nemac.sun.shtml is a server parsed html-file. Your www-server needs to
support this (Apache and NCSA for example supports it) So what you should do
is link the directory, where these 2 files are saved, to your www
file-structure. Access the file nemac.sun.shtml from your browser. The
server now automatically includes the file current_trace.sun. This
Meta-include approach increases the flexibility a bit...

>I use NeTraMet 3.4 on SPARC with 64MB RAM and Solaris 2.5.1.
Should do the trick nicely...

Hope this helps, Marc
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: [email protected]
---------------------------------------------------------------------
Private: [email protected], [email protected], http://www.cistron.nl/~selm

From netramet-owner Thu May 22 17:56:41 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id RAA27042 for netramet-outgoing; Thu, 22 May 1997 17:52:01 +1200 (NZST)
Received: from ccu1.auckland.ac.nz ([email protected] [130.216.3.1]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id RAA27030 for <[email protected]>; Thu, 22 May 1997 17:51:58 +1200 (NZST)
Received: (from nevil@localhost)
by ccu1.auckland.ac.nz (8.8.5/8.8.5) id RAA03441
for netramet@auckland; Thu, 22 May 1997 17:51:57 +1200 (NZT)
From: Nevil Brownlee <[email protected]>
Message-Id: <[email protected]>
Subject: NeTraMet 4.1 beta available ...
To: [email protected]
Date: Thu, 22 May 1997 17:51:57 +1200 (NZT)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hello all:

The 4.1 version of NeTraMet is now in its 'late beta' stages.
If you are interested, you can download it from
ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet/beta-versions

Right now there is no documentation (I'm working on that).
However, at this stage it looks very nearly the same as version 3.4.

Cheers, Nevil

+-----------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+-----------------------------------------------------------------------C

Release notes:

FROM doc/NeTraMet/version.history ...

v4.1b4 22 May 97 SNMPv2, 32-bit PC meter
* NeTraMet and its manager/readers (NeMaC,
nm_rc, nm_st and nifty) all use SNMPv2
instead of SNMPv1. They now implement the
Meter MIB of RFC2064 (and the newer RTFM
Internet Draft which updates it).

The most significant effects of this are:
v4 meters can run multiple rulesets
simultaneously, and
64-bit counters are used for packet
and byte counters.

* v4 managers will work properly with v3
meters. v3 managers, however, will NOT
work with v4 meters. To change to using
v4 you should change your managers first,
then your meters.

* There are two changes to flow data file
formats:
Dates now use four digits for the year
(1997 instead of 97)
The integer values used for PeerTypes
have changed. You should not be
affected by this unless you have
analysis applications which use
PeerTypes to distinguish flows.

* The 32-bit version of the PC meter uses
all avaaiable memory. 16 MB of memory should
allow it to handle a table of 100,000 flows
or more.

The readme.txt file in the ntm41-b4.zip
file gives detailed setup instructions.

* New options in Meters (PC and Unix):

-m pp specifies the IP port number to
use for SNMP. Default is 161

-l specifies that meter should use
the length field from IP headers
for the number of bytes in IP
packets. Default is to use the
MAC (hardware) packet size.

>From pc/readme.txt ..

Using the PC NeTraMet Meter

Version 4.1 Beta 4, Thu 22 May 97

Nevil Brownlee
ITSS Technology Development
The University of Auckland

[email protected]

The ntm41-b4.zip file contains most - if not all - of the
files you need to set up and run the 16- and 32-bit version
of the PC NeTraMet meter.

Hardware requirements

The 16-bit meter will run on a 386 with 640 kB of memory.
The 32-bit meter requires at least a 386 with 4 MB of memory.

If you are buying a new PC for use as a meter, I suggest a
minimum of a 75 MHz Pentium with 8 MB of memory. You should
use the 32-bit meter rather than the 16-bit one.

Installations Instructions

1) Format a high-density floppy disk as a system (bootable) disk.

2) Unzip this file with the -d option onto the floppy disk; this
will create directories called WINDOWS, DRIVERS and NETRAMET.

3) Edit the wattcp.cfg file so as to set the IP address, netmask
and gateway addresses, and the domain name to those which are
correct for your meter.

4) Edit the pd.bat file so that it is correct for the ethernet
card(s) you are using. The DRIVERS directory contains packet
drivers for NE2000, SMC_WD and 3C509 cards; these have been
modified so as to support NeTraMet's 'high-performance packet
driver' option. If you are using any other kind of ethernet
card you'll have to copy a packet driver for it into this
directory.

NeTraMet can handle up to 4 ethernet cards. You'll need a
line for each card in the pd.bat file, with different sofware
interrupts for each. I find interrupts 120, 121, 122 and 123
(decimal) work properly.

Note that the 32-bit version requires the packet driver(s) to
be loaded in low memory. Loadhigh will NOT work!

Details of the '4 ethernet' option are given in the
version.history file (in the doc/NeTraMet directory of the
NeTraMet distribution).

5) If you will be using the 32-bit NeTraMet, you will need to
copy two files from your meter PC's WINDOWS directory into
the WINDOWS directory of the floppy. The files are
HIMEM.SYS and EMM386.EXE. They are required to support the
32-bit environment for NeTraMet.

If you will be using the 16-bit NeTraMet, you should comment
out the lines in congif.sys which refer to the WINDOWS files.

6) In the NETRAMET directory, edit the acct.bat file so as to
specify the startup parameters. For example

ntm32 -f80000 -w write-com -r read-com

Simplest case. Uses 32-bit meter on a single interface, with
write community 'write-com' and read community 'read-com.'
The maximum number of flows in the meter will be 80000.
NB: you should NOT leave the read community as 'public' !

ntm16 -h120 -h121 -I122 -w write-com -r read-com

Uses 16-bit meter to measure flows on high-performance ethernets
using interrupts 120 and 121, while using ethernet 122 for IP
communications with the meter. No metering is performed on
interface 122. The default number of flows on the 16-bit meter
is 2000.

From netramet-owner Mon May 26 12:45:05 1997
Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id MAA05220 for netramet-outgoing; Mon, 26 May 1997 12:41:01 +1200 (NZST)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id MAA05186; Mon, 26 May 1997 12:40:51 +1200 (NZST)
From: Nevil Brownlee <[email protected]>
Reply-To: Nevil Brownlee <[email protected]>
To: Grace Monaghan <[email protected]>
cc: [email protected]
Subject: Re: Addresses
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 27 May 1997 00:44:08 +1200 (New Zealand Standard Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1 Build (3)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Grace:

I've at last had a moment to try your rule set, and see why it didn't
seem to get the peer addresses of the hosts you are interested in.

What's missing is a SET statement ahead of the rules. The SET keyword
tells NeMaC / nm_rc / nifty that a rule set follows, and gives it a name
(for v3 meters this was the rule set number). With no SET statement
NeMaC ignores the rules, and uses whatever ruleset is running on the
meter.

I'm working on the 4.1 version of NeMaC / nm_rc / nifty; I guess it
would help to display a message saying 'no ruleset in rule file!'

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P